Unable to disable group

Hello, I will be the first to admit I am no expert. Especially when it comes to security.

Tried to run

ALTER LOGIN [OurOldDomain\OurGroup] DISABLE;

and received the message
Disable Login. failed for Login 'OurOldDomain\OurGroup'. (Microsoft.SqlServer.Smo)
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
Cannot alter the login 'OurOldDomain\OurGroup', because it does not exist or you do not have permission. (Microsoft SQL Server, Error: 15151)

Now I am a sysadmin. (I even checked that this morning.) So why can I not execute this? (I also tried through SSMS GUI). There are several groups I would like to disable as we changed to a new domain, but I cannot disable them.

Looks like that is a "feature" See here

You cannot use ALTER_LOGIN with the DISABLE argument to deny access to a Windows group. For example, ALTER_LOGIN [domain\group] DISABLE will return the following error message:
"Msg 15151, Level 16, State 1, Line 1
"Cannot alter the login 'Domain\Group', because it does not exist or you do not have permission."
This is by design.

Thank you. Oh, joy. So I leave a security hole until it is decided I can drop them. :grin:

This is actually not a problem as I was just trying to do house keeping while I had time. We have only been on the new domain for about a month and some accounts are still being used from the old domain. We are a small shop with so many high priority requests, we prioritize them. To that end we have "fire of the day".

You could try DENYing that login CONNECT permission. That would greatly reduce what it could do on its own.