MS SQL Server – Disallow BUILTIN\Administrators

Introduction

It appears that SUSER_SID(‘BUILTIN\Administrators’) does not always work reliably.
The code below disallows BUILTIN\Administrators from being able to connect to MS SQL Server
without groups and accounts been granted explicit logins\accounts.

 

Code


if (
		
            (SUSER_SID('BUILTIN\Administrators') is not null)
        and ( exists( select name from master.dbo.syslogins where name = 'BUILTIN\Administrators' ))	
    )
begin	
    print 'Dropping Login [BUILTIN\Administrators]...'	

        drop login [BUILTIN\Administrators];
	
    print 'Dropped Login [BUILTIN\Administrators]'
end
go

References

  1. SQL Server 2008 does not picked up dropped users
    http://www.sqldev.org/sql-server-security/sql-server-2008-does-not-pick-up-dropped-users-80518.shtml

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s