Removing BUILTIN\ADMINISTRATOR

Hello
I'm sure this has been answered many times, but my search of the newsgroup
gives me hits on messages that have already been 'removed'. Googling hasn't
given me the answer yet either.
I need to remove BUILTIN from many 'inherited' servers that I am called on
to support. I am required to remove it. However, it is also DBO for every
database. All the databases are actually owned by 'sa'. If I try to drop
BUILTIN access to a database I get the 'the database owner cannot be
dropped'. If I try to drop remove the DBO permit for BUILTIN in a database
I get 'Error 15405: Cannot use the reserved user or role name dbo'. UGH!
There's a simple solution for this, right?
Thanks!> I need to remove BUILTIN from many 'inherited' servers that I am called on to support. I
am
> required to remove it. However, it is also DBO for every database. All t
he databases are
> actually owned by 'sa'.
Above is a contradiction. You can't have both BUILTIN\Administrators *and* s
a as owner for a
database! My guess is that the owner is BUILTIN\Administrators. Just change
the owner to sa, using
sp_changedbowner.
Also, before removing the administrators group, add LocalSystem (actual name
is NT
AUTHORITY\SYSTEM). Google for it to see why.
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"Steve" <pezguy@.mn.rr.com> wrote in message news:fpsbe.31959$215.21781@.tornado.rdc-kc.rr.com
..
> Hello
> I'm sure this has been answered many times, but my search of the newsgroup
gives me hits on
> messages that have already been 'removed'. Googling hasn't given me the an
swer yet either.
> I need to remove BUILTIN from many 'inherited' servers that I am called on
to support. I am
> required to remove it. However, it is also DBO for every database. All t
he databases are
> actually owned by 'sa'. If I try to drop BUILTIN access to a database I g
et the 'the database
> owner cannot be dropped'. If I try to drop remove the DBO permit for BUIL
TIN in a database I get
> 'Error 15405: Cannot use the reserved user or role name dbo'. UGH!
> There's a simple solution for this, right?
> Thanks!
>|||Hi Steve,
Maybe this articles will help you:
"Removing builtin\administrators: Some pitfalls to avoid"
tratorssomepitfallstoavoi.asp" target="_blank">http://www.sqlservercentral.com/col...fallstoavoi.asp
"10 Steps to Securing your SQL Server"
[url]http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp[/ur
l]
Cristian Lefter, SQL Server MVP
"Steve" <pezguy@.mn.rr.com> wrote in message
news:fpsbe.31959$215.21781@.tornado.rdc-kc.rr.com...
> Hello
> I'm sure this has been answered many times, but my search of the newsgroup
> gives me hits on messages that have already been 'removed'. Googling
> hasn't given me the answer yet either.
> I need to remove BUILTIN from many 'inherited' servers that I am called on
> to support. I am required to remove it. However, it is also DBO for
> every database. All the databases are actually owned by 'sa'. If I try
> to drop BUILTIN access to a database I get the 'the database owner cannot
> be dropped'. If I try to drop remove the DBO permit for BUILTIN in a
> database I get 'Error 15405: Cannot use the reserved user or role name
> dbo'. UGH!
> There's a simple solution for this, right?
> Thanks!
>