I have a SQL Server 2012 machine and I want to limit the Domain Admins permissions. What can I do to make sure that the Domain Admins have read only permissions for the databases and nothing else for SQL Server?
I am interested in limiting their permissions for the SQL Server install. They can do whatever they want on the Windows Server 2008 OS.
Thank you for your help.
Best Answer
By default domain admins don't have access to a SQL 2012 instance, because by default
builtin\administrator
(which are the local admins on the machine) are not a login in SQL Server itself.The default has changed starting 2008
So unless someone added them in SQL Server the local admins/domain admins shouldn't have permissions on the instance.
That doesn't mean they can't give themselves permissions, as some case of emergency solution they can start sql in single user mode and connect but that requires a server restart.
On the other hand, on 2008 R2 this trick would still work: Think Your Windows Administrators Don’t Have Access to SQL Server 2008 by Default? Think Again