Monday, March 19, 2012

getting rid of BUILTIN\administrator

Using SS2000. I'm trying to improve the security of our SQLServers. I have a server that has only 3 users. The BUILTIN, sa and a user called "dar".
The BUILTIN is the dbo for every database. If I try to remove the dbo from a database I get - "Cannot use the reserved user or role name 'dbo'. If I try to remove database access I get - "The database owner cannot be dropped."
How do I get rid of it?
I understand that I'll have to change the user that SQLServer Agent and Full Text Indexing use to logon. Is Full Text Indexing show up as Microsoft Search in Services?
Thanks,
Dan D.
look at sp_changedbowner to change the owner to sa. As you noted, make sure
that the service accounts for mssqlserver, sqlserveragent can log in.
Full-text always runs as localsystem so make sure [nt authority\system] is a
valid login and sysadmin.
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dan D." <DanD@.discussions.microsoft.com> wrote in message
news:D2E3D1A7-26E1-472F-94F4-D8CC036BF4B3@.microsoft.com...
> Using SS2000. I'm trying to improve the security of our SQLServers. I have
> a server that has only 3 users. The BUILTIN, sa and a user called "dar".
> The BUILTIN is the dbo for every database. If I try to remove the dbo from
> a database I get - "Cannot use the reserved user or role name 'dbo'. If I
> try to remove database access I get - "The database owner cannot be
> dropped."
> How do I get rid of it?
> I understand that I'll have to change the user that SQLServer Agent and
> Full Text Indexing use to logon. Is Full Text Indexing show up as
> Microsoft Search in Services?
> Thanks,
> --
> Dan D.
|||I was thinking of creating a login called "SQLServer" with administrator priveleges and using it for mssqlserver, sqlserveragent and full text. Will this work for full text? And is the full text service actually called "Microsoft Search"?
Thanks,
Dan D.
"Richard Waymire [MSFT]" wrote:

> look at sp_changedbowner to change the owner to sa. As you noted, make sure
> that the service accounts for mssqlserver, sqlserveragent can log in.
> Full-text always runs as localsystem so make sure [nt authority\system] is a
> valid login and sysadmin.
> --
> Richard Waymire, MCSE, MCDBA
> This posting is provided "AS IS" with no warranties, and confers no rights.
> "Dan D." <DanD@.discussions.microsoft.com> wrote in message
> news:D2E3D1A7-26E1-472F-94F4-D8CC036BF4B3@.microsoft.com...
>
>
|||no, fulltext is required to be localsystem unfortunately. And yes, that's
the right service.
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dan D." <DanD@.discussions.microsoft.com> wrote in message
news:1CC74058-7E57-4C84-9163-3FDAB27EA214@.microsoft.com...[vbcol=seagreen]
>I was thinking of creating a login called "SQLServer" with administrator
>priveleges and using it for mssqlserver, sqlserveragent and full text. Will
>this work for full text? And is the full text service actually called
>"Microsoft Search"?
> Thanks,
> --
> Dan D.
>
> "Richard Waymire [MSFT]" wrote:
|||So, if I remove the BUILTIN\administrator login you're saying I have to add a login for NT Authority\system. Is that correct? We're running Windows 2000/2003 on our servers. I don't see an NT Authority login. Is there another name for it?
Thanks,
Dan D.
"Richard Waymire [MSFT]" wrote:

> no, fulltext is required to be localsystem unfortunately. And yes, that's
> the right service.
> --
> Richard Waymire, MCSE, MCDBA
> This posting is provided "AS IS" with no warranties, and confers no rights.
> "Dan D." <DanD@.discussions.microsoft.com> wrote in message
> news:1CC74058-7E57-4C84-9163-3FDAB27EA214@.microsoft.com...
>
>
|||no, that's the right name - are you getting an error when you add it? and
yes, that's what I'm saying you must do if you want to use full-text
search...
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dan D." <DanD@.discussions.microsoft.com> wrote in message
news:405B8A4F-F683-46F0-AA1B-CC01780B65A2@.microsoft.com...
> So, if I remove the BUILTIN\administrator login you're saying I have to
> add a login for NT Authority\system. Is that correct? We're running
> Windows 2000/2003 on our servers. I don't see an NT Authority login. Is
> there another name for it?
> Thanks,
> --
> Dan D.
>
> "Richard Waymire [MSFT]" wrote:
>
|||You won't see it but you should be able to add it using QA e.g.
exec sp_grantlogin [NT Authority\System]
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Dan D." <DanD@.discussions.microsoft.com> wrote in message
news:405B8A4F-F683-46F0-AA1B-CC01780B65A2@.microsoft.com...
> So, if I remove the BUILTIN\administrator login you're saying I have to
add a login for NT Authority\system. Is that correct? We're running Windows
2000/2003 on our servers. I don't see an NT Authority login. Is there
another name for it?[vbcol=seagreen]
> Thanks,
> --
> Dan D.
>
> "Richard Waymire [MSFT]" wrote:
that's[vbcol=seagreen]
rights.[vbcol=seagreen]
administrator[vbcol=seagreen]
Will[vbcol=seagreen]
make[vbcol=seagreen]
authority\system][vbcol=seagreen]
I[vbcol=seagreen]
dbo[vbcol=seagreen]
'dbo'. If[vbcol=seagreen]
and[vbcol=seagreen]
|||I used what Jasper suggested and I now have an NT Authority\system login.
So do I leave the Microsoft Search service set to use "localsystem"? And after I remove the "BUILTIN\administrator" login, the service will use the NT Authority\system login?
Thanks,
Dan D.
"Richard Waymire [MSFT]" wrote:

> no, that's the right name - are you getting an error when you add it? and
> yes, that's what I'm saying you must do if you want to use full-text
> search...
> --
> Richard Waymire, MCSE, MCDBA
> This posting is provided "AS IS" with no warranties, and confers no rights.
> "Dan D." <DanD@.discussions.microsoft.com> wrote in message
> news:405B8A4F-F683-46F0-AA1B-CC01780B65A2@.microsoft.com...
>
>
|||Thanks Jasper. I now have a [NT Authority\System] login.
Dan D.
"Jasper Smith" wrote:

> You won't see it but you should be able to add it using QA e.g.
> exec sp_grantlogin [NT Authority\System]
> --
> HTH
> Jasper Smith (SQL Server MVP)
> http://www.sqldbatips.com
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
> "Dan D." <DanD@.discussions.microsoft.com> wrote in message
> news:405B8A4F-F683-46F0-AA1B-CC01780B65A2@.microsoft.com...
> add a login for NT Authority\system. Is that correct? We're running Windows
> 2000/2003 on our servers. I don't see an NT Authority login. Is there
> another name for it?
> that's
> rights.
> administrator
> Will
> make
> authority\system]
> I
> dbo
> 'dbo'. If
> and
>
>
|||correct.
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dan D." <DanD@.discussions.microsoft.com> wrote in message
news:70843D0C-586B-441F-AAA9-9ADE90E9ECFA@.microsoft.com...[vbcol=seagreen]
>I used what Jasper suggested and I now have an NT Authority\system login.
> So do I leave the Microsoft Search service set to use "localsystem"? And
> after I remove the "BUILTIN\administrator" login, the service will use the
> NT Authority\system login?
> Thanks,
> --
> Dan D.
>
> "Richard Waymire [MSFT]" wrote:

No comments:

Post a Comment