SQLTeam.com | Weblogs | Forums

DBA login security using AD accounts


#1

Hello DBAs,
I'm pretty sure most, if not all of y'all login into SQL servers using their AD accounts. This has been the 'norm' since Microsoft came out with the Windows authentication login addition.
I'm in a company where they are using a service account to login (even to RDPing) and I made the comment of why not follow the trend and create the standard group grant the sysadmin and add the DBAs to that group....
Their thinking is that if one DBA creates a database, packages, etc... and that DBA leaves then they won't have access to whatever he/she has created. Apparently they had suffered from this in the past.
I mentioned that they just have to create these different objects and change ownership after the fact, just as I've been doing in the past; but they require an official Document, Whitepaper, etc.... (preferably from Microsoft) lining these steps up and explaining how these works.
The versions in this case are 2008 R2 and above.

I was wondering if there is such a document before I begin searching for it, oddly I've never encounter this situation so I hadn't given it much thought before now... I knew what to do because it had been already implemented anywhere I went to do a contract.

Any comments are very well appreciated already in advance!
lec


#2

IN SQL 2000, Ownership in SQL 2000

Since 2005: Ownership since SQL 2005