Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
AskSQLTeam
Ask SQLTeam Question
0 Posts |
 Posted - 2003-07-04 : 08:36:54
|
| Chris writes "I need to give the DBA group at the company where I work, full access to the SQL server portion of the server without giving them Local Admin rights to the box. They need to be able to do whatever they want to "SQL". I can give full access to all the other drives in the system, but they cannot update WINNT or any of the "system" or OS based files. The plan is to have them access the server through Enterprise Manager and telnet. I am having trouble finding how to set this up without the local admin settings. Current company policy says that I cannot give them Admin rights on the box (separation of powers). Any ideas?" |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-07-04 : 08:40:09
|
| This is easy, you can do two things:A) Add each admins WinNT login to your SQL Server and make them members of the sysadmin server role, or:B) Create a local NT user group on the SQL box, add the "admins" to that group, then add the group to SQL Server and make it a member of the sysadmin role.Both have benefits and disadvantages, if you really want to ensure that they CAN'T get admin rights to the computer then you should go with A. |
 |
|
|
chadmat
The Chadinator
1974 Posts |
Posted - 2003-07-07 : 20:06:35
|
| Then they just have to use xp_cmdshell to do whatever they want. This is just my opinion but I don't think it is wise to not allow SQL Admins to be admins on the server. It is kinda ridiculous for a DBA to have to go ask to restart services or any one of many other things I have seen DBAs have to ask permission for. If you trust them with the crown jewels (The database) why not trust them with the server as well? Besides, as I said, they can circumvent by using xp_cmdshell. -Chadhttp://www.clrsoft.comSoftware built for the Common Language Runtime. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-07-07 : 20:20:34
|
| I am in complete agreement with Chad. In order for the DBA to do his/her job, the DBA needs sysadmin on SQL Server or account added to the admin group. If you just give sysadmin, then the DBA can do whatever he/she wants to just by calling xp_cmdshell. So the DBA will be able to update WINNT or any of the "system" or OS based files even though he/she is not an admin on the box. Why don't you/your company trust your DBAs with admin access on the server?Tara |
|
|
|
|
|
|
SQL Administration