removing BUILTIN\Admin access to databases

[Kevin]

a re-visit of an old question...here's an old note which describes my
similar issue:

I'm trying to create an installation setup where administrators are
denied access to databases by default, but still can perform various
admin tasks on SQL Server.

BUILTIN\administrators has been removed from the sysadmin server role,
but in the login properties this login is still listed as having
access to *all* databases as 'dbo' (also the db_owner db-role is
checked in each db). Any attempt to uncheck 'permit' gives the message
'The database owner cannot be dropped'.

What gives? It looks as if 'BUILTIN\administrators' is aliased to
'dbo' at some level, although I'm unable to find a clue to this in the
system tables.

Dropping the login works fine (but isn't a solution). When adding the
login again after dropping it, this message appears: "It has been
detected that this login has permissions in specific databases(s) -
the login will have access to these databases now".

What was the resolution to this?

I would like to use this solution, because deleting the BUILTIN\Admins group
is causing problems with replication and other things.

thanx

[Cindy Gross (MS)]

Just a guess - Did you create databases with trusted authentication using an account that's a member of the local admin group? If so, the "sa" that owns the
databases may be your Windows account instead of "sa". Try changing the dbo of each database to SA (you may have to change it to something else first).

Cindy Gross, MCDBA, MCSE
http://cindygross.tripod.com
This posting is provided "AS IS" with no warranties, and confers no rights.

[Kevin]

Thanks, Cindy.

I'll give it a try, because I really, really want to remove the
BUILTIN\Administrators from any access to the databases.

"Cindy Gross (MS)" <cgr...@online.microsoft.com> wrote in message
news:UvjP7V$QCHA.1348@cpmsftngxa06...