I have scoured the internet looking for something even close to what I'm wanting to do, and all I can find is how to get around security controls to be able to grant sysadmin to a login. (!!!)
Here's the situation; I'm a veteran DBA at a new company that has never had a DBA before, so everyone and their brother's cousin has sysadmin. That's fine, I have a plan to clean it up and reduce the number of logins that have sysadmin permission. However, now that I've started taking that permission set away from some logins, "someone" (and that's the trouble, I don't know who) is granting sysadmin to other logins.
I need a way to either report or (ideally) prevent logins that have sysadmin permission from granting sysadmin to other logins.
Of course, this is not going to be easy, because a DDL trigger for "ALL SERVER" is not going to work, because from time to time, I will need to elevate certain logins to have sysadmin (upgrade/config change/new app/etc), so my login still has to have this ability. But, all other logins, with either sysadmin or securityadmin need to be blocked from granting sysadmin (and I suppose securityadmin) to any other login…newly created or existing.
Does anyone have any idea how to go about doing this? PBM may be asking too much, because I've never been able to do anything useful with it, outside of a training class. Perhaps using a DDL trigger(s) would get the job done (???).
Thanks in advance for any suggestions and/or advice.
P.S. I need to be able to log/prevent this for both sp_addsrvrolemember and ALTER SERVER ROLE, as we have 2008 R2 instances along with 2012+ instances.
Best Answer
For whodunnit, there's a profiler trace event "Audit Add Login to Server Role" under security. Presumably it catches ALTER and not just the SPs specified, but that would need to be tested.
I'd suspect the guilty once caught would start assigning specific permissions instead so would trace that too.