locked
Change BUILTIN\Administrators from sysadmin to public RRS feed

  • Question

  • Hi, 

    I have a task to delete or degrees permissions to BUILTIN\Administrators in SQL server 2016 (As said best practices). In this group there are local users, local machine and backup user.

    I want to create windows logins instead of this login with proper minimal permissions to sql server.

    What is the minimum that local machine needs to run sql server properly?

    Should I delete BUILTIN\Administrators login from sql server or set to server role public only?

    Thanks, 

    Thursday, September 19, 2019 10:14 AM

All replies

  • Please read this article

    https://www.mssqltips.com/sqlservertip/1017/security-issues-with-the-sql-server-builtin-administrators-group/

    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence



    Thursday, September 19, 2019 10:31 AM

  • What is the minimum that local machine needs to run sql server properly?

    Just create a domain account and use SQL Server configuration manager to start SQL Server service with this created account. SSCM will by itself give the minimum permissions required to run the SQL server service.

    Should I delete BUILTIN\Administrators login from sql server or set to server role public only?

    I am not sure you can go ahead and just delete it you must make sure something is not using it, some TP tools use it. Refer below document

    Appendix D: Securing Built-In Administrator Accounts in Active Directory


    Cheers,

    Shashank

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My TechNet Wiki Articles

    MVP

    Thursday, September 19, 2019 11:13 AM
  • Should I delete BUILTIN\Administrators login from sql server or set to server role public only?

    BUILTIN\Administrators is not added by default when you install SQL Server, starting from SQL 2008. So normally it should not be there, unless this is an instance that originally was SQL 2005.

    Whatever, it should be safe to remove this login from SQL Server, although I don't know what local dependencies you may have.

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Thursday, September 19, 2019 9:49 PM
  • Hi  ALdo1982,

    >>What is the minimum that local machine needs to run sql server properly?

    Server role public has the minimum permission.

    >>Should I delete BUILTIN\Administrators login from sql server or set to server role public only?

    As Erland Sommarskog mentioned, BUILTIN\Administrators is not added by default when you install SQL Server, starting from SQL  Server 2008.

    So,you could delete the account from Security—Logins.

    Hope those could help you.

    Best Regard,

    Amelia Gu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, September 20, 2019 6:45 AM