locked
Managing Default SQL Server logins RRS feed

  • Question

  • Hi,

    When I query the sys.server_principals system table, it shows to me lots of built-in accounts that are not used in my environment. See attached. My audit policy requires that these accounts to be deleted. Question is, what is the implication of deleting these accounts? If I were to perform future updates, will there be any negative effects?

    Thanks

    • Moved by Olaf HelperMVP Wednesday, December 11, 2013 9:55 AM Moved from "SQL Database Engine" to a more related forum
    Wednesday, December 11, 2013 9:30 AM

Answers

  • As per me it is not Advisable to delete these accounts as if deleted than you wouldn't The able to re-create them. he SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost. Because of this, Windows NT doesn't let you delete built-in accounts.
    Please refer to below link:
    Clearly mentioned Server principals with names enclosed by double hash marks (##) are for internal system use only.

    The following principals are created from certificates when SQL Server is installed, and should not be deleted.
    http://technet.microsoft.com/en-us/library/ms181127.aspx
    http://technet.microsoft.com/en-us/library/cc722455.aspx

    --------------------------------------------------------------------------------
    Please click the Mark as answer button and vote as helpful if this reply solves your problem

    • Edited by Neha Mahajan DBA Wednesday, December 11, 2013 9:49 AM
    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 9:48 AM
  • As said: it is not advisable to delete them.

    You should note, that most of them are also Disabled by default, so nobody can log into the system using those.


    Andreas Wolter | Microsoft Certified Master SQL Server

    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com | www.SarpedonQualityLab.com

    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 1:23 PM
  • You should note, that most of them are also Disabled by default, so nobody can log into the system using those.

    In addition to this: the first six are logins created from certificates, and you canno log in as these. And you should not remove them, unless you perfectly understands which features that break and you know that you will never use them.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 10:17 PM

All replies

  • As per me it is not Advisable to delete these accounts as if deleted than you wouldn't The able to re-create them. he SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost. Because of this, Windows NT doesn't let you delete built-in accounts.
    Please refer to below link:
    Clearly mentioned Server principals with names enclosed by double hash marks (##) are for internal system use only.

    The following principals are created from certificates when SQL Server is installed, and should not be deleted.
    http://technet.microsoft.com/en-us/library/ms181127.aspx
    http://technet.microsoft.com/en-us/library/cc722455.aspx

    --------------------------------------------------------------------------------
    Please click the Mark as answer button and vote as helpful if this reply solves your problem

    • Edited by Neha Mahajan DBA Wednesday, December 11, 2013 9:49 AM
    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 9:48 AM
  • As said: it is not advisable to delete them.

    You should note, that most of them are also Disabled by default, so nobody can log into the system using those.


    Andreas Wolter | Microsoft Certified Master SQL Server

    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com | www.SarpedonQualityLab.com

    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 1:23 PM
  • You should note, that most of them are also Disabled by default, so nobody can log into the system using those.

    In addition to this: the first six are logins created from certificates, and you canno log in as these. And you should not remove them, unless you perfectly understands which features that break and you know that you will never use them.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Proposed as answer by Fanny Liu Thursday, December 12, 2013 5:25 AM
    • Marked as answer by Fanny Liu Thursday, December 19, 2013 12:08 PM
    Wednesday, December 11, 2013 10:17 PM