locked
remove an account from having permissions to my db files RRS feed

  • Question

  • ON aach of my db files (.mdf, .ndf, ldf),  three account have these explicit permissions:
    Local Administrators group Full  -not inherited
    sqlsvc -not inherited   Full (the account that the sql service runs under)
    Domain\DI Services Full -not inherited   (this is a domain group, used for Data Integrations)

    I didn't setup this server.  I have been tasked with locking everything down.  Everytime a new DB is created these permissions are assigned.  I cannot figure out how to stop DI Services from getting rights to the files?  I know I can just prevent them from getting to the files.  That's not the issue.  It bothers me that I can't figure it out.  Where does the ACL come from?   I want to know how it works,  how it got setup that way in the first place?   

    Any pointers tips, or answers would be appreciated!
    Thursday, August 6, 2009 8:44 PM

All replies

  • You have to track back up the directory structure.  It is getting those permissions because at a higher level in the folder structure, that group has been granted permissions.

    Mike Hotek BlowFrog Software, Inc. http://www.BlowFrogSoftware.com Affordable database tools for SQL Server professionals
    Monday, August 10, 2009 12:51 PM
  • I wish it were that easy.   The account permissions are "-not inherited", as I can see in Security | Advanced,  which means they were assigned directly to those files.      Further, the files are created with "Allow inheritable permissions....  "   turned off.  So they cannot get anything from the directory structure.   Just for kicks, I did checked each level up including the root of the drive where those db files are located and None have the "DI Services", as expected.  I guess I'm treading down a road that I shouldn't, but curiosity is driving me crazy on this.
    Monday, August 10, 2009 2:06 PM