Share via

builtin\users

  • Article

Question

Monday, October 14, 2013 1:09 PM

I have just queried syslogins on a SQL express installation, and was quite alarmed to see builtin\users as a login. Is this default when you setup a new installation of SQL express? They arent sysadmin but seem to have some degree of access. Is there any risk with this setup? Why would you grant BUILTIN\users access to a SQL DB?

All replies (3)

Monday, October 14, 2013 1:18 PM ✅Answered | 1 vote

see here as per BOL-

http://technet.microsoft.com/en-us/library/ms165636%28v=sql.105%29.aspx

During setup of SQL Server Express a login is added for the BUILTIN\Users group. This allows all authenticated users of the computer to access the instance of SQL Server Express as a member of the public role. The BUILTIN\Users login can be safely removed to restrict Database Engine access to computer users who have individual logins or are members of other Windows groups with logins.

Builtin ->By default who are all part of the windows admin they will have the access on the sql level.

FYI

but please ensure that you have added any of the windows domain account first with SYSADMIN given on SQL level or create an SQL account with sysadmin on sql level(but please ensure your instance runs in Mixed mode(windows+SQL authentication mode) before taking any action on builtin

Thanks, Rama Udaya.K (http://rama38udaya.wordpress.com) Please remember to mark the replies as answers if they help and UN-mark them if they provide no help,Vote if they gives you information.

Monday, October 14, 2013 4:05 PM ✅Answered

SQL Express does not allow remote connections, by default.  So in the initial configuration only a user logged on to the PC can connect to SQL Server. 

David

David http://blogs.msdn.com/b/dbrowne/

Monday, October 14, 2013 1:26 PM

thats surely bad practice though - allowing every user access to your database?

My understanding was that for domain joined PC's, that the local users group included the domain group "domain users", thus every user in the domain. So if builtin\users can access the database, then surely that means anyone in the domain can access the database too?