Home > IT Answers > Microsoft Windows > AD Domain Admin permissions to SQL
Kenkizer
5 pts.
0
Q:
AD Domain Admin permissions to SQL
Active Directory, Active Directory Administration, Active Directory Permissions, SQL Permissions
Can a Domain Admin grant himself permissions to a SQL database? Or, put another way, can a Domain Admin make himself equivalent to the SA account?
ASKED: Jun 5 2009  5:58 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Mrdenny
47055 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
By default everyone who is a member of the servers Administrators group is a member of the sysadmin role. This can be changed by removing the BUILTIN\Administrators group from SQL Server's sysadmin role. Before you do this be sure to grant the DBAs admin rights.

Once the domain admins don't have sysadmin rights to the database they can not grant themselves this right again.
Last Answered: Jun 6 2009  8:30 AM GMT by Mrdenny   47055 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Hlx   65 pts.  |   Jun 9 2009  5:09PM GMT

Depending on your viewpoint, it would be pretty trivial for a Domain Admin to change a password and login as a domain user that they know is SA and then grant themselves access. The only clue would be that the hijacked account holder would then be unable to login with what they thought was their password. One call to the help desk or perhaps even the Domain Admin to reset their password and all traces go away.

 
0