INF: How to Remove the Default Mapping of Windows NT Administrators to SQL Server SA

• Microsoft SQL Server version 6.5

SUMMARY

In some situations, access control policies may stipulate that the Windows NT Administrator(s) should not be given system administrator (SA) access to SQL Server. A default installation of SQL Server permits members of the local Administrators group to be allowed trusted connections as SA. This article explains how to disallow such connections when necessary.

NOTE: It is not possible to absolutely prevent a Windows NT Administrator from obtaining SA access to SQL Server because the Windows NT Administrator can always add any account to any group, as well as modify registry entries or permissions.

MORE INFORMATION

To prevent local Administrators from receiving trusted connections, perform the following steps:

1. Create a group that is to be given SA login rights. Add the account(s) used by SQL Server and SQL Executive to this group, along with any user accounts that require SA access.



2. Ensure that the account(s) used by SQL Server and SQL Executive are also members of the local Windows NT Administrators group. It is necessary that the SQL Server and SQL Executive accounts have Windows NT Administrator and SA level privileges. Failure to ensure that these accounts have the proper permissions may prevent SQL Server from functioning properly.



3. Using SQL Security Manager, grant SA login permissions to the appropriate group and revoke SA login permissions for the local Administrators group.



4. As with any change in group or permission status, it may be necessary to have the affected accounts log out and log back in to have the changes take effect. In the case of SQL Server, this would require cycling the service.

Additional query words: right priviledge priviledges admin admins

Keywords          : SSrvAdmin SSrvSQL_Admin 
Version           : winnt:6.5
Platform          : winnt 
Issue type        : kbhowto kbinfo 

Last Reviewed: March 19, 1999