| Author |
Messages |
|
Dave Davolt
 |
| 03/18/2002 11:29 AM |
 Quote
 Reply
 Alert
|
| I read several articles on SQL Security. All recommended removing BuiltIn\Administrators from the SysAdmin group. I decided, since we have about 20 people in that group, and none of them need SysAdmin access to a particular server, to not just remove them from the SysAdmin Goup, but delete the BuiltIn\Administrators login all together.
I have a few sql logins in the sysadmin group, and a few NT logins in the sysadmin group, so I wasn't concerned with locking myself out.
When I restarted SQL, an error I hadn't seen before appeared:
ccserver, 650, error, Error Message from SQL-Server: Login failed for user 'NT AUTHORITY\System'.
ccserver, 650, error, DB-LIBRARY Error: Login incorrect.
The logins were generated by a third party app that logs to a db. That's where the ccserver comes from.
No big deal, I thought. Everything (jobs, SPs, Web Stuff) was still working. I contacted the software mfg., they removed BI\Admin, without getting error I did.
Next day, I needed to add a new NT Login. Wouldn't work. EM says bad domain or user name. Strange. I personally added the user to the domain, and verified it worked by logging into domain with that user name. I then added a current domain user to the security list and gave it access to appropriate db for the person to use temporarily.
I figured this had something to do with removing BI\Admin.
So, a few days later, on another SQL server I removed the same group from, I tried to add the new domain user login. Same error:
Window Name: Microsoft SQL-DMO (ODBC SQLState: 42000)
Window content: Error 15401: Windows NT user or group 'Domain\username' not found. Check name again.
I then restored the BuiltIn\Administrators group to the Security login, and made them members of SysAdmin Group. Then restarted SQL, and was able to SUCCESSFULLY add the new user name I was unable to add before.
QUESTION: What happened?
I was/am member of NT Administrators/Domain Admins, and member of SysAdmin on server.
|
|
|
|
|
Dave Davolt
|
| 03/19/2002 4:10 PM |
Quote
Reply
Alert
|
| Resolved. needed to sync BDC and PDC.
See thread at www.sqlpass.org
http://www.sqlpass.org/forums/messageview.cfm?catid=359&threadid=12058 |
|
|
|
|
Chip Andrews
|
| 03/19/2002 8:10 PM |
Quote
Reply
Alert
|
| Good thing you found it - I was having a heck of a time trying to duplicate the issue. Everything was working fine for me. Isn't that always the way?
You did the right thing - always check the web and newsgroups (groups.google.com) for other people with the same issue. It's a big planet - you can't be the only one with this problem. If so - bask in your uniqueness... |
|
|
|
|
Zvika (guest)
|
| 09/20/2008 4:07 AM |
Quote
Reply
Alert
|
Hi
I did remove the builin\administrators but I forgot the sa password. How can I return the builin\administrators back in order to reset the sa password?
Thanks
Zvika |
|
|
|
|
Chip Andrews
Posts:113
|
| 09/21/2008 6:17 PM |
Quote
Reply
Alert
|
http://support.microsoft.com/kb/932881
"Also, if SQL Server 2005 is started in single-user mode, any user who has membership in the BUILTIN\Administrators group can connect to SQL Server 2005 as a SQL Server administrator. The user can connect regardless of whether the BUILTIN\Administrators group has been granted a server login that is provisioned in the SYSADMIN fixed server role. This behavior is by design. This behavior is intended to be used for data recovery scenarios." |
|
|
|
|
Claudio (guest)
|
| 10/23/2008 2:10 AM |
Quote
Reply
Alert
|
Zvika did u find the solution?i have got the same problem.
Claudio |
|
|
|
|
|