locked
SQL Admin Group RRS feed

  • Question

  • We have a SQL ADMIN Group (SAG). This group is part of a DOMAIN ADMIN group (DAG). We would like to remove SAG from the DAG. 

    Would there be any possible impact on this or would it break anything?

    TIA

    Wednesday, April 3, 2019 6:16 PM

Answers

  • Keep SA password and one window login ,SO there will problem to login in server.

    Keep local admin and  who having sys admin in mssql for better access.

    You can remove SAG from Domain group.


    https://social.technet.microsoft.com/wiki/contents/articles/37872.sql-server-installation-on-centos-linux.aspx

    • Proposed as answer by Puzzle_Chen Monday, April 8, 2019 1:40 AM
    • Marked as answer by ARPRINCE Wednesday, April 10, 2019 1:57 PM
    Thursday, April 4, 2019 7:05 AM
  • We are not deleting the SAG. We just want to remove the SAG from the DAG in Active Directory.

    On the SQL Server, I see both the SQL Admins and Domain Admins under Logins. Both sysadmin as a server role. 

    Do we need SQL Admins be Domain Admins?

    Hi,

    a SQL SysAdmin never need to be a Domain Admin.

    Take a look:

    https://en.wikipedia.org/wiki/Principle_of_least_privilege

    https://en.wikipedia.org/wiki/Separation_of_duties

    Kind regards,

    Andreas

    • Proposed as answer by Puzzle_Chen Monday, April 8, 2019 1:40 AM
    • Marked as answer by ARPRINCE Wednesday, April 10, 2019 1:57 PM
    Thursday, April 4, 2019 7:34 AM

All replies

  • Do have SA password and local admin group ?

    What sql standalone or cluster ?


    https://social.technet.microsoft.com/wiki/contents/articles/37872.sql-server-installation-on-centos-linux.aspx

    Wednesday, April 3, 2019 6:27 PM
  • Hi ARPRINCE,

    Please check if there are database users which the SQL ADMIN Group mapped to. You will see the following message in SSMS when deleting the group. 

    You will have to carefully consider the advice in the warning that says you need to transfer ownership of schemas to new users.


    Best Regards,
    Puzzle
    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Thursday, April 4, 2019 1:48 AM
    • Yes on SA. Not sure with the LAG.
    • Stand alone.

    Thursday, April 4, 2019 3:04 AM
  • We are not deleting the SAG. We just want to remove the SAG from the DAG in Active Directory.

    On the SQL Server, I see both the SQL Admins and Domain Admins under Logins. Both sysadmin as a server role. 

    Do we need SQL Admins be Domain Admins?

    Thursday, April 4, 2019 3:24 AM
  • Keep SA password and one window login ,SO there will problem to login in server.

    Keep local admin and  who having sys admin in mssql for better access.

    You can remove SAG from Domain group.


    https://social.technet.microsoft.com/wiki/contents/articles/37872.sql-server-installation-on-centos-linux.aspx

    • Proposed as answer by Puzzle_Chen Monday, April 8, 2019 1:40 AM
    • Marked as answer by ARPRINCE Wednesday, April 10, 2019 1:57 PM
    Thursday, April 4, 2019 7:05 AM
  • We are not deleting the SAG. We just want to remove the SAG from the DAG in Active Directory.

    On the SQL Server, I see both the SQL Admins and Domain Admins under Logins. Both sysadmin as a server role. 

    Do we need SQL Admins be Domain Admins?

    Hi,

    a SQL SysAdmin never need to be a Domain Admin.

    Take a look:

    https://en.wikipedia.org/wiki/Principle_of_least_privilege

    https://en.wikipedia.org/wiki/Separation_of_duties

    Kind regards,

    Andreas

    • Proposed as answer by Puzzle_Chen Monday, April 8, 2019 1:40 AM
    • Marked as answer by ARPRINCE Wednesday, April 10, 2019 1:57 PM
    Thursday, April 4, 2019 7:34 AM