none
Sysadmin to AD users

    Question

  • Hi Gurus,

    We have server where sql server is installed. Please let me know what are the pros and cons for giving sys admin privileges to AD users while there are windows accounts where they can login. Appreciate your help.

    Thanks,

    Venkat.

    • Moved by Tom Phillips Thursday, October 24, 2013 8:34 PM Security question
    Thursday, October 24, 2013 5:24 PM

Answers

  • well you said right thing, if they can perform  their activities with role what they have then they should be fine or ask them does they need temporarily

    or permanently

    if for one time or temporarily or permanently   purpose they need then you can give with all the information pulled from them to ensure apart from that they shouldn't do anything or still they need (sometime few customers are like that we can't say) it then track all the things from your end & pull out from them what purpose need & have  an track on the same.      

    Also verify with your Processes Manager.          


    Thanks, Rama Udaya.K (http://rama38udaya.wordpress.com) ---------------------------------------- Please remember to mark the replies as answers if they help and UN-mark them if they provide no help,Vote if they gives you information.

    Thursday, October 24, 2013 5:49 PM
  • The basic principle of least privileges should apply. Users of any system should only have the permissions necessary to perform their required functions. If these other AD users are going to be in complete charge of the system going forward (i.e. own the whole thing), then they should be sysadmin's and (probably) you should not be any more. But it's more common that they do not need that level of access, and people just haven't figured out what permissions they really need.

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    Thursday, October 24, 2013 9:26 PM

All replies

  • Hi Gurus,

    We have server where sql server is installed. Please let me know what are the pros and cons for giving sys admin privileges to AD users while there are windows accounts where they can login. Appreciate your help.

    Thanks,

    Venkat.

    there is no much to say-

    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/be978d1c-62ef-40a8-9eae-2cd53c365b1e/sys-admin-access-to-sql-users?forum=sqldatabaseengine

    But if N number of users they need SA then you can create an group(that should be don on AD first)   & add the users part of it then you can give.

    instead of adding each domain Id.

    again the SA is high privileage, refer the same link of above.


    Thanks, Rama Udaya.K (http://rama38udaya.wordpress.com) ---------------------------------------- Please remember to mark the replies as answers if they help and UN-mark them if they provide no help,Vote if they gives you information.

    Thursday, October 24, 2013 5:30 PM
  • Actually we are done with the project and it went to other people. They are asking to give admin privileges to 3 AD accounts. Is it acceptable and necessary. Am saying no because there are some other windows accounts where they can accomplish the same tasks. 

    Please answer.

    Thursday, October 24, 2013 5:41 PM
  • well you said right thing, if they can perform  their activities with role what they have then they should be fine or ask them does they need temporarily

    or permanently

    if for one time or temporarily or permanently   purpose they need then you can give with all the information pulled from them to ensure apart from that they shouldn't do anything or still they need (sometime few customers are like that we can't say) it then track all the things from your end & pull out from them what purpose need & have  an track on the same.      

    Also verify with your Processes Manager.          


    Thanks, Rama Udaya.K (http://rama38udaya.wordpress.com) ---------------------------------------- Please remember to mark the replies as answers if they help and UN-mark them if they provide no help,Vote if they gives you information.

    Thursday, October 24, 2013 5:49 PM
  • ...They are asking to give admin privileges to 3 AD accounts. Is it acceptable and necessary. Am saying no because there are some other windows accounts where they can accomplish the same tasks. 

    ...

    What are the actual requirements?

    What alternatives can you offer?

    Maybe you can take a look at CONTROL SERVER - described in detail here: www.insidesql.org/blogs/andreaswolter/2013/08/control-server-vs-sysadmin-sa-permissions-privilege-escalation-caveats

    Except for a backup-admin account it's usually better to have less people with sysadmin privileges


    Andreas Wolter | Microsoft Certified Master SQL Server

    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com | www.SarpedonQualityLab.com

    Thursday, October 24, 2013 9:05 PM
  • The basic principle of least privileges should apply. Users of any system should only have the permissions necessary to perform their required functions. If these other AD users are going to be in complete charge of the system going forward (i.e. own the whole thing), then they should be sysadmin's and (probably) you should not be any more. But it's more common that they do not need that level of access, and people just haven't figured out what permissions they really need.

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    Thursday, October 24, 2013 9:26 PM