A Principal Data Engineer at Microsoft (Saleem Hakani) had authored the below SQL Server Tips & Trick and I thought it would be one that would be found handy by many. Keep this one handy you never know when you may need it (Hopefully not too many times).
You are working as a trusted DBA responsible for some extremely important SQL Servers for your company. For the sake of security, you have performed the following steps to secure SQL Servers:
- You have removed any and all built-in administrators account from SQL Server logins
- You have removed all the users (except SA) that were part of SYSADMIN server role (Including any Windows Accounts and/or SQL Server logins)
- You have set the password of SA to something extremely complex which is hard to remember.
- For day-to-day operations on SQL Server, you use your domain user account which has DBO permissions on couple of databases but doesn’t have SYSADMIN privileges.
Since you set the SA password to be complex and you have not been using it, you forgot the SA password. You are the only person in the company who would know the SA password and now you have lost the SA password.
What would you do now?
Some quick options I can think of are listed below:
1. You will try to look for the SA password on your computer hard-drive or in your emails (If you stored it in some file which is a bad practice)
2. You will rebuild Master database or reinstall SQL Server and attach all the user databases. However, this could take some time and also doesn’t guarantee that all your logins, users, permissions and server configurations will be recovered unless you plan to restore the Master database from an old backup. However, as you don’t remember the SA password, restoring the Master database will not help you and you are back to square one.
3. You will call up Microsoft PSS
You are now running out of options. What would you do?
There’s a way with which you can gain SYSADMIN access to your SQL Server. However, that would mean your Windows account will need to be a member of the local administrators group.
SQL Server allows any member of Local Administrators group to connect to SQL Server with SYSADMIN privileges.
Here are the steps you will need to perform:
1. Start the SQL Server instance using single user mode (or minimal configuration which will also put SQL Server in single user mode)
From the command prompt type: SQLServr.Exe –m (or SQLServr.exe –f)
Note: If the Binn folder is not in your environmental path, you’ll need to navigate to the Binn folder.
(Usually the Binn folder is located at: C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn)
2. Once SQL Server service has been started in single user mode or with minimal configuration, you can now use the SQLCMD command from command prompt to connect to SQL Server and perform the following operations to add yourself back as an Admin on SQL Server instance.
SQLCMD –S <Server_Name\Instance_Name>
You will now be logged in to SQL Server as an Admin.
3. Once you are logged into the SQL Server using SQLCMD, issue the following commands to create a new account or add an existing login to SYSADMIN server role.
To create a new login and add that login to SYSADMIN server role:
1> CREATE LOGIN ‘<Login_Name>’ with PASSWORD=’<Password>’
1> SP_ADDSRVROLEMEMBER ‘<Login_Name>’,’SYSADMIN’
To add an existing login to SYSADMIN server role, execute the following:
1> SP_ADDSRVROLEMEMBER ‘<LOGIN_NAME>’,’SYSADMIN’
The above operation will take care of granting SYSADMIN privileges to an existing login or to a new login.
4. Once the above steps are successfully performed, the next step is to stop and start SQL Server services using regular startup options. (This time you will not need –f or –m)
Note: Those that might be thinking this might make it easy for anyone to get access to SQL Server, well remember that you do have Auditing and will have control of who gets access to the local servers administrators group. If you haven’t enable controls at that level then you may have bigger security issues in hand!!!