Enhancing Analysis 2005 Security - Revoking Domain Admin and Local Admin from Built in Admin role
- General
By default Analysis 2005 sets the following accounts as server administrators:
Local Admin Group
Service Log-on account
To enhance analysis security, it's often requested to alter default policy by dropping domain and local admin account from server administrator role. This post describe the proper steps to perform in order to complete that task
- Warning
The following procedure would result dropping Local and domain administrator from the predefined Analysis Server Admin role. However it's not possible to block the local admin and/or domain admin from adding their logon to the server specific admin list. Once done, they would resume server administrator effective rights by the virtue of their own account rather than by prefixed role.
It's a good procedure to ensure strict corporate audit on that issue!
1. Using the SQL Server management studio connect to the analysis server.
2. Right click the server instance name and choose security tab from the properties option
3. Add the genuine server administrator group (The assigned administrator group of the server)
4. Click Ok
5. Using the General tab click the "Show Advanced (All) Properties" checkbox.
6. Page through the properties window until reaching "Security\BuiltinAdminsAreServerAdmins"
7. Change the value to "false"
8. Verify that you have completed successfully steps 3-4 prior to that phase!!
9. Please verify that Analysis Server Service Log-On was set to an account other than local admin
or domain admin. (do not change the "Security\ServiceAccountIsServerAdmin").
Enjoy :-)
Eran