Security considerations for BUILTIN\Users

I have been paring down the logins and users on my database, but still have some hanging around that don't do anything as far as I can see.

BUILTIN\\Users is one particular group that has no special permissions or role memberships.

I have read many a page on google talking about the other BUILTIN group (administrators - not writing full name in the hope google will pick up on BUILTIN\\Users instead), but nothing talks directly about BUILTIN\\Users.

I would like to remove this group, both as a DB user and as a login. I have separate AD Groups for admin and standard access to the SQL server.

So basically, is it safe to remove BUILTIN\\Users as a user and login?

more ▼

asked May 02, 2011 at 08:45 AM in Default

avatar image

26.2k 18 38 48

(comments are locked)
10|1200 characters needed characters left

2 answers: sort voted first

BUILTIN\\Users is not a normal, default addition to the logins. That means someone either put it there knowingly or unknowingly. The key is to determine which. You'll need to audit logins to your SQL Server and determine if they're coming in via other means. You can do that by getting with your AD admins and checking the other Windows logins (especially groups) which are being used.

more ▼

answered May 02, 2011 at 10:25 AM

avatar image

K. Brian Kelley
1k 1 4 4

@K. Brian Kelley I just added an extra backslash to "escape the escape". Otherwise, the BUILTIN\\Users comes as BUILTIN\Users. I hope you don't mind :)

May 02, 2011 at 10:42 AM Oleg

@K. Brian Kelley - the group was probably added unknowingly. As I mentioned, I don't have other users/groups that shouldn't be there - logins are audited too.

I will remove both the user and login then, thanks for your help.

May 02, 2011 at 12:22 PM WilliamD
(comments are locked)
10|1200 characters needed characters left

As long as nobody is accessing the server via that group, I think you'll be fine. We don't have any of the BUILTIN groups authorized as logins on our servers and haven't had any issues.

more ▼

answered May 02, 2011 at 10:21 AM

avatar image

25k 3 13 20

(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.



asked: May 02, 2011 at 08:45 AM

Seen: 8141 times

Last Updated: May 02, 2011 at 12:23 PM

Copyright 2018 Redgate Software. Privacy Policy