local administrator sysadmin role

If  you have MSSQL  on say a windows 2008 server, if a local administrator (OS) is not currently a sysadmin in MSSQL, just by being local admin on the server, can they make themselves sysadmin? Or if not what permissions do they need to make them sysadmin?

MS recommend not having builtin\admins as part of the sysadmin role, but if they could just grant themselves that permission it seems a waste of time investigating and removing local admins from that role in MSSQL
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dec0mpileCommented:
If you change the security settings they cannot grant themselves permission.

By default, members of the local Administrators group are also granted administrative rights. Local administrators can create databases, add users and permissions, and perform any other task allowed to system administrators.

This behavior is configurable. It is determined by the BuiltinAdminsAreServerAdmins server property, which is set to true by default.

You can change this property in SQL Server Management Studio.

BuiltinAdminsAreServerAdmins
A Boolean property that indicates whether members of the local machine administrators group are Analysis Services administrators.
0
Scott PletcherSenior DBACommented:
Unfortunately, local Windows system administrators can get around any restrictions you place in SQL Server.  It does take some mild effort, so you might be able to keep out "lazy" Windows admins by removing the built-in logins.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
geek_vjCommented:
If  you have MSSQL  on say a windows 2008 server, if a local administrator (OS) is not currently a sysadmin in MSSQL, just by being local admin on the server, can they make themselves sysadmin?
>> Not necessarily. Prior to SQL 2008, Builtin Administrators group was added by default to the SQL server logins. However, from SQL 2008, this group is not added by default as a part of installation. So, by default local OS admin having sysadmin access is not possible starting sql 2008.

>> if not what permissions do they need to make them sysadmin?
Only sysadmins can add or make other logins as sysadmins

As such, it is recommended to remove the group Builtin/Administrators as a part of installation and add the logins with required access. Unless required, it is always better to keep the sysadmin access with DBAs.

Hope this clarifies!
0
DBAduck - Ben MillerPrincipal ConsultantCommented:
As ScottPletcher said, it takes some mild effort, but Domain Admins are admins on Windows Servers which means that they can login and do things that normal users could not do. This could lead to being able to give themselves access, but it does take some effort.
0
Scott PletcherSenior DBACommented:
A Windows admin on that box can stop the SQL service, restart it in single user mode, add a sysadmin login of their choosing, stop SQL and restart it normally.  Based on the discussions of this I've seen, there's no real way to prevent it even in SQL 2008 (don't know about for SQL 2012).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.