A Principal Data Engineer at Microsoft (Saleem Hakani) had authored the below SQL Server Tips & Trick and I thought it would be one that would be found handy by many. Keep this one handy you never know when you may need it (Hopefully not too many times).
You are working as a trusted DBA responsible for some extremely important SQL Servers for your company. For the sake of security, you have performed the following steps to secure SQL Servers:
Since you set the SA password to be complex and you have not been using it, you forgot the SA password. You are the only person in the company who would know the SA password and now you have lost the SA password.
What would you do now?
Some quick options I can think of are listed below:
1. You will try to look for the SA password on your computer hard-drive or in your emails (If you stored it in some file which is a bad practice)
2. You will rebuild Master database or reinstall SQL Server and attach all the user databases. However, this could take some time and also doesn’t guarantee that all your logins, users, permissions and server configurations will be recovered unless you plan to restore the Master database from an old backup. However, as you don’t remember the SA password, restoring the Master database will not help you and you are back to square one.
3. You will call up Microsoft PSS
You are now running out of options. What would you do?
There’s a way with which you can gain SYSADMIN access to your SQL Server. However, that would mean your Windows account will need to be a member of the local administrators group.
SQL Server allows any member of Local Administrators group to connect to SQL Server with SYSADMIN privileges.
Here are the steps you will need to perform:
1. Start the SQL Server instance using single user mode (or minimal configuration which will also put SQL Server in single user mode)
From the command prompt type: SQLServr.Exe –m (or SQLServr.exe –f)
Note: If the Binn folder is not in your environmental path, you’ll need to navigate to the Binn folder.
(Usually the Binn folder is located at: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn)
2. Once SQL Server service has been started in single user mode or with minimal configuration, you can now use the SQLCMD command from command prompt to connect to SQL Server and perform the following operations to add yourself back as an Admin on SQL Server instance.
SQLCMD –S <Server_Name\Instance_Name>
You will now be logged in to SQL Server as an Admin.
3. Once you are logged into the SQL Server using SQLCMD, issue the following commands to create a new account or add an existing login to SYSADMIN server role.
To create a new login and add that login to SYSADMIN server role:
1> CREATE LOGIN ‘<Login_Name>’ with PASSWORD=’<Password>’
1> SP_ADDSRVROLEMEMBER '<Login_Name>','SYSADMIN'
To add an existing login to SYSADMIN server role, execute the following:
1> SP_ADDSRVROLEMEMBER ‘<LOGIN_NAME>’,’SYSADMIN’
The above operation will take care of granting SYSADMIN privileges to an existing login or to a new login.
4. Once the above steps are successfully performed, the next step is to stop and start SQL Server services using regular startup options. (This time you will not need –f or –m)
Note: Those that might be thinking this might make it easy for anyone to get access to SQL Server, well remember that you do have Auditing and will have control of who gets access to the local servers administrators group. If you haven't enable controls at that level then you may have bigger security issues in hand!!!
Football Team Location Problem | SQL Lion
T – SQL challenge to solve Football Team Location Problem in a single query.
Excellent - thanks for sharing - please browse for <a href="www.sqlservermanagementstudio.net/.../sql-server-2008-management-studio.html"> sql server management studio</a>
In sql server 2008 r2 the path has been changed to "C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn"
Question: Can a user with 'Sysadm' privilege in a SQL Server Instance gain access (be it privileged or any other) to the databases created under that instance without having an active account in that instance?
An example would be a user authenticated to the SQL server instance through Active Directory Domain group which as been granted a 'sysadm' privilege but the user account does not have an entry in the sysusers table in any of the databases under the same instance.
Any help would be appreciated.
You can also use tooling like PSEXEC to launch SQLCMD or even SSMS as the NT AUTHORITY\SYSTEM account which by default is a Sysadmin inside SQL Server. This allows access with the same assumptions, that you have administrative access to the underlying OS. The nice thing about this approach is that you don't have to stop the service. Argenis blogged about it a while back... sqlblog.com/.../think-your-windows-administrators-don-t-have-access-to-sql-server-2008-by-default-think-again.aspx
Hello below query is wrong
CREATE LOGIN ‘<Login_Name>’ with PASSWORD=’<Password>’
login name should not be in single quote as per your demo reader will take it in single quote
The single user mode is awful! I also know another way to recover access to sql server:
This method works in case you forgot the sa password or sa account got locked out or disabled.
It's worth a try.
"SQL Server allows any member of Local Administrators group to connect to SQL Server with SYSADMIN privileges."
I guess this applies only if the builtin\administrators login is enabled in the SQL Server instance. builtin\administrators is not available in my instance and im not able to login in single user mode,even though im a WINDOWS local administrator
True - was trying it because of this [http://social.msdn.microsoft.com/Forums/windowsazure/en-US/c307cd19-d78b-4767-8e86-127b6ebb2b6e/new-vm-sql-2014-dw-on-azure-cannot-login-to-sql-database?forum=ssdsgetstarted#73b0b6c7-db20-4630-9e6b-51a1cbbb2403
]works only if BuiltINadmin is there.
Check this for a solution.
this doesn't work in 2014 :(