HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Limiting Domain Admins permissions on a SQL Server

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
permissionssqllimitingserveradminsdomain

Problem

I have a SQL Server 2012 machine and I want to limit the Domain Admins permissions. What can I do to make sure that the Domain Admins have read only permissions for the databases and nothing else for SQL Server?

I am interested in limiting their permissions for the SQL Server install. They can do whatever they want on the Windows Server 2008 OS.

Thank you for your help.

Solution

By default domain admins don't have access to a SQL 2012 instance, because by default builtin\administrator (which are the local admins on the machine) are not a login in SQL Server itself.

The default has changed starting 2008


By default, the local Windows Group BUILTIN\Administrator is no longer
included in the SQL Server sysadmin fixed server role on new SQL
Server 2008 installations.

So unless someone added them in SQL Server the local admins/domain admins shouldn't have permissions on the instance.

That doesn't mean they can't give themselves permissions, as some case of emergency solution they can start sql in single user mode and connect but that requires a server restart.

On the other hand, on 2008 R2 this trick would still work: Think Your Windows Administrators Don’t Have Access to SQL Server 2008 by Default? Think Again

Context

StackExchange Database Administrators Q#106887, answer score: 3

Revisions (0)

No revisions yet.