What are some of the issues that can occur when you remove the 'SA' role from BUILTIN\Administrators (NETIQKB11094)

  • 7711094
  • 02-Feb-2007
  • 09-Dec-2010

Environment

NetIQ AppManager 6.x
NetIQ AppManager 7.0.x
Microsoft SQL Enterprise 2005
Microsoft SQL Enterprise 2008

Situation

What are some of the issues that can occur when you remove the 'SA' role from BUILTIN\Administrators in SQL Server?

Resolution

Warning: Users may break the NetIQ SQL Stored Procedures and Jobs when removing the 'sa' role from the BUILTIN\Administrators.  It is highly advised that the BUILTIN\Administrators account in SQL NOT have the SA role removed from it in SQL.

If you are using any user account that is in the BUILTIN\Administrators account in SQL to login into the AppManager operator console, those users will run into problems where they may not be able to login in to the AppManager Operator Console or run Knowledge Scripts, if the SA Role is removed from the BUILTIN\Administrators account in SQL.

This can be avoided if the user already has a unique login account in SQL, and that account has a unique Role set in AppManager Security Manager equivalent to the Role given to the BUILTIN\Administrators.  If the user is not allowed to have, for example, a db_owner role for another account (NT or SQL), they should at least be given the following SQL Roles:

On the QDB database:

    • public role (by default)
    • db_ddladmin: Allow KS to execute most of the extended store procedure.
    • db_backupoperator: Allow KS to use DBCC command

Additional Information

Formerly known as NETIQKB11094

 


Feedback service temporarily unavailable. For content questions or problems, please contact Support.