SQL Server 2016 Permissions – Unable to Revoke ‘NT AUTHORITY\SYSTEM’

permissionssql serversql-server-2016

I have tried everything I know to do and spent several hours Googling without success. I want to revoke the SHUTDOWN and CONTROL SERVER permissions for the login NT AUTHORITY\SYSTEM.

When I run this

EXECUTE AS LOGIN = 'NT AUTHORITY\SYSTEM'
SELECT * FROM fn_my_permissions(NULL,NULL)
REVERT

…the output is:

Things I have tried:

Deleting the Login entirely,
Executing the following (with the different permissions listed):

USE master;  
REVOKE SHUTDOWN FROM "NT AUTHORITY\SYSTEM";
GO

Even after I delete the login, and execute the fn_my_permissions SP, it still lists the permissions from the image above.

Any help I could get on this would be great.

Best Answer

This should revoke the permissions

REVOKE CONTROL SERVER TO [NT AUTHORITY\SYSTEM]
REVOKE SHUTDOWN TO [NT AUTHORITY\SYSTEM]

Tests

use [master]
GO
GRANT CONTROL SERVER TO [NT AUTHORITY\SYSTEM]
GO
use [master]
GO
GRANT SHUTDOWN TO [NT AUTHORITY\SYSTEM]
GO

EXECUTE AS LOGIN = 'NT AUTHORITY\SYSTEM'
SELECT * FROM fn_my_permissions(NULL,NULL)
REVERT

Result

... (34 Results)

REVOKE CONTROL SERVER TO [NT AUTHORITY\SYSTEM]
REVOKE SHUTDOWN TO [NT AUTHORITY\SYSTEM]

EXECUTE AS LOGIN = 'NT AUTHORITY\SYSTEM'
SELECT * FROM fn_my_permissions(NULL,NULL)
REVERT

Result

Extra info

If you are ever unsure about the syntax, an easy one (in my opinion), is selecting what you need inside of the GUI and then scripting it out using the 'script' button.

For example in this answer, I added the grants for the CONTROL SERVER and SHUTDOWN to the login NT AUTHORITY\SYSTEM , Scripted it out, and then removed them in the GUI and scripted them out again to get the revoke statements. I am against executing stuff through the GUI though, since it is easy to overlook things, and it has proven to be buggy.

Related Solutions

Sql-server – Giving file system access to the SQLSERVERAGENT virtual account

To specifically answer your question, here's how you give disk access rights to the built in SQL Server Agent account. But read on as I answer what I believe to be the real issue:

1.> Right-click your drive, select properties, select security, click the Add button and enter the SQLSERVERAGENT account(make sure your domain isn't selected in the From this location text box, but rather your computer name):

2.> Click the Check Names button to validate that the account is valid:

3.> Now, add the file permission you need to the SQLSERVERAGENT account. For trouble-shooting purposes, you may want to give Full control and then scale it back later as needed:

That being said, you probably just need to use SQL Server Configuration Manger to re-add the SQL Agent user--according to the comments I saw about msdb and logins. Configuration Manager makes more changes to SQL Server than using the Windows Services applet--so Configuration Manager should always be used to change ANY SQL Service.

This will fix the issue if someone may have changed the account within Windows Services causing the service to fail on startup. You need to reset it within Configuration Manager. Doing so allows Configuration Manager to add to SQL Server the much needed permissions to manage the MSDB database for the Local Service account (NT SERVICE\SQLSERVERAGENT) whereas changing accounts within the Windows services applet does not.

Caveat: Versions SQL Server Express above 2000 do not include a SQL Agent. Certain aspects of it may appear to be there, but its unusable in the Express version of the product.

To begin, open SQL Server Configuration Manager and double-click the SQL Server Agent service in the SQL Server Services. Select the Built-in account radio button and choose Local Service, and click the Apply button. Important : if you already see that this account is selected chose another account and click the Apply Button. Then, change it back to Local Service and click the Apply button to allow Configuration Manager to add the correct MSDB permissions for the SQL Agent service to start. Now, restart SQL Server Agent to reflect this new setting.

SQL Server Permissions – Detect Execute Permission Granted to Role Without ON Clause

GRANT EXECUTE TO [principal] is simply a shortcut for GRANT EXECUTE ON DATABASE::<dbname> TO [principal];

You can check this using the following:

SELECT dp.name
    , perms.class_desc
    , perms.permission_name
    , perms.state_desc
FROM sys.database_permissions perms
    INNER JOIN sys.database_principals dp ON perms.grantee_principal_id = dp.principal_id 
WHERE dp.name = 'MyRole'

Best Answer

Related Solutions

Sql-server – Giving file system access to the SQLSERVERAGENT virtual account

SQL Server Permissions – Detect Execute Permission Granted to Role Without ON Clause

Related Question