Wager Sull1991

  • Home
  • Sitemap
Home  ›  How to Disable Sa Account in Sql Server

How to Disable Sa Account in Sql Server

Written By Thom Alsent Saturday, November 27, 2021 Add Comment Edit

question

NeophyteSQL avatar image

sql server sa account disable

I am working on renaming and disabling the sa account
the sa account has been renamed to sa_tmp
the dbo user on all databases now show they are associated with the login sa_tmp
if I disable the login, how should I handle all the schemas owned by the user dbo in the respective databases.
should I transfer the schemas from dbo to a different user.
thanks a lot

sql-server-general

Cathyji-msft avatar image

Hi sqlniks,

No. You needn't to transfer them.

Renaming and disabling the sa account won't stop internal processes from being able to use the sa account. Therefore, if you have databases whose owners are sa, there isn't a problem. This is a good thing, because some databases, like master and tempdb, require the sa account as the owner. Also, having SQL Server Agent jobs owned by sa won't fail, either. The impersonation still works.

Please refer to Best Practices to Secure the SQL Server sa Account.

If the response helped, do "Accept Answer" and upvote it.

Best regards,
Cathy


NeophyteSQL avatar image

Thanks , which means the database schemas owned by dbos are still owned by the sa.
but we are trying to ensure non system objects do not depend on sa
so do we transfer the dbo owned schemas to a regular sql account

Cathyji-msft avatar image

Hi sqlniks,

but we are trying to ensure non system objects do not depend on sa

so do we transfer the dbo owned schemas to a regular sql account

If non system objects depend on the account that is a member of sysadmin group, you still needn't transfer them. If not, you can change it from SSMS UI, login properties> User Mapping

Best regards,
Cathy

TiborKaraszi avatar image

An object is owned by a user, not a login. Whenever you act as sysadmin, you operate as dbo in all databases. A database is owned by a login. What you might want to consider is to change the owner of the database to somebody who isn't "the real sa", i.e., sid 0x1. Erland, for instance, proposes IIRC to create one login per database, and the sole purpose for that login is to own that database.

NeophyteSQL avatar image

thanks , is it ok for schemas inside the databases to be owned by dbo, and dbo user in turn is related to the sa login

TiborKaraszi avatar image

I understand that. It doesn't invalidate anything I said. If you change the ovner of the database to somebody else than sa, then the schema vill be owner by dbo, but dbo will no longer point to sa.

NeophyteSQL avatar image

Tibor,

Thanks for your answer.

However I understand the database owners ,the database owners can be a different login. the schemas of the database are owned by dbo, do they need to be transferred to some other login so sa is not used indirectly.

TomPhillips-1744 avatar image

Let me be perfectly clear.

You do not need to do anything to the database owner or schema owner. Everything will work just fine when you disable "sa_tmp". The user must exist, not be "enabled".

ErlandSommarskog avatar image

thanks , is it ok for schemas inside the databases to be owned by dbo, and dbo user in turn is related to the sa login

The dbo schema must be owned by dbo. Other schemas do not have to be, but you would only change the schema owner if there is a special reason.

The database on the other hand is a different story. It is not good practice to have it owned by a sysadmin account. As Tibor says, my recommendation is that you create a unique SQL login which only exists to own that database. If the database is called Telephones, the login would be Telephone$owner or something like that. That login would be disabled and not granted any permissions.

question details

2 people are following this question.

TiborKaraszi follows this question ErlandSommarskog follows this question

Related Questions

How to Disable Sa Account in Sql Server

Source: https://docs.microsoft.com/answers/questions/75704/sql-server-sa-account-disable.html

Share this post

0 Response to "How to Disable Sa Account in Sql Server"

Post a Comment

Newer Post Older Post Home
Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel

Popular Post

  • Ankie Broekers-Knol Arnoud Cornelis Broekers / 1933 Dutch general election - Wikipedia - Ze hebben twee dochters en vijf kleinkinderen.
    Anneke ankie broekersknol (born 23 november 1946) is a dutch politician of the people's party for. Ze hebben twee dochters...
  • Heb Receipt Lookup : Heb Receipt Lookup / How To Read Your Grocery Receipt Sale / Can walmart look up a receipt using the serial number of a product?
    Order confirmation number * where is my order confirmation number? Some stores can look up . To enroll in digital receipts, yo...
  • Eclipse Ee Download : 【Axis2】【Eclipse】 Axis2 と Eclipse を使って、 新規にWebサービスを構築する - Follow these instructions if you are setting up a development environment on your own machine.
    Integrated development environment for java and other languages. You would be fine with basic eclipse. Go to the standard wls ...



banner



Copyright - Wager Sull1991