Change BUILTIN\Administrators from sysadmin to public
Question
Thursday, September 19, 2019 10:14 AM
Hi,
I have a task to delete or degrees permissions to BUILTIN\Administrators in SQL server 2016 (As said best practices). In this group there are local users, local machine and backup user.
I want to create windows logins instead of this login with proper minimal permissions to sql server.
What is the minimum that local machine needs to run sql server properly?
Should I delete BUILTIN\Administrators login from sql server or set to server role public only?
Thanks,
All replies (4)
Thursday, September 19, 2019 10:31 AM
Please read this article
Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting: Large scale of database and data cleansing
Remote DBA Services: Improves MS SQL Database Performance
SQL Server Integration Services: Business Intelligence
Thursday, September 19, 2019 11:13 AM
What is the minimum that local machine needs to run sql server properly?
Just create a domain account and use SQL Server configuration manager to start SQL Server service with this created account. SSCM will by itself give the minimum permissions required to run the SQL server service.
Should I delete BUILTIN\Administrators login from sql server or set to server role public only?
I am not sure you can go ahead and just delete it you must make sure something is not using it, some TP tools use it. Refer below document
Appendix D: Securing Built-In Administrator Accounts in Active Directory
Cheers,
Shashank
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
Thursday, September 19, 2019 9:49 PM
Should I delete BUILTIN\Administrators login from sql server or set to server role public only?
BUILTIN\Administrators is not added by default when you install SQL Server, starting from SQL 2008. So normally it should not be there, unless this is an instance that originally was SQL 2005.
Whatever, it should be safe to remove this login from SQL Server, although I don't know what local dependencies you may have.
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Friday, September 20, 2019 6:45 AM
Hi ALdo1982,
>>What is the minimum that local machine needs to run sql server properly?
Server role public has the minimum permission.
>>Should I delete BUILTIN\Administrators login from sql server or set to server role public only?
As Erland Sommarskog mentioned, BUILTIN\Administrators is not added by default when you install SQL Server, starting from SQL Server 2008.
So,you could delete the account from Security—Logins.
Hope those could help you.
Best Regard,
Amelia Gu
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.