MS SQL Server OLAP - Lock out Local administrator

Author

Lock out Local administrator

verbani

2005-06-21, 3:23 am

hi,

I'm creating an app on local machines. These have a personal edition of as
installed.

What I want to do is secure the AS that I can only connect with our
application local user. Big problem is off course the local admin account.
I've deleten the OLAP Admin group of the machine. But the local admin still
can see everyting even if he doesn't have any rights to the OLAP database...

Anyone an idea?

Regards,
Nico

Francesco Anti

2005-06-21, 11:23 am

At http://support.microsoft.com/defaul...kb;en-us;231951 you can
find a list of the permissions needed to administer an Analysis server.
Local administrators have all of this permissions, so they will be always
able to administer your analysis server

Francesco Anti

"verbani" <verbani@discussions.microsoft.com> wrote in message
news:74F964C9-81AC-483D-A6A9- FA10EBD2596E@microso
ft.com...
> hi,
>
> I'm creating an app on local machines. These have a personal edition of
> as
> installed.
>
> What I want to do is secure the AS that I can only connect with our
> application local user. Big problem is off course the local admin
> account.
> I've deleten the OLAP Admin group of the machine. But the local admin
> still
> can see everyting even if he doesn't have any rights to the OLAP
> database...
>
> Anyone an idea?
>
> Regards,
> Nico

Dave Wickert [MSFT]

2005-06-21, 8:24 pm

Look in the SP4 release notes, you will see that there is a new registry
setting which will disable the automatic granting of OLAP Administrator
permissions for machine administrators. However, it is still not full-proof
situation because any machine administrator can also add themselves to the
OLAP Administrators group by-hand. Thus the real bottom line is that there
isn't a real way to lock out an Administrator -- although with then new
registry setting you can at least force them to explicitly give themselves
OLAP Administrator permissions.

BTW: What is "personal edition of Analysis Services"? We have no such
product. What I think you mean is Developer Edition (which does include a
license for Analysis Services).

--
Dave Wickert [MSFT]
dwickert@online.microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Francesco Anti" <fanti_@_sicosbt.it> wrote in message
news:%23NDAPundFHA.412@tk2msftngp13.phx.gbl...
> At http://support.microsoft.com/defaul...kb;en-us;231951 you can
> find a list of the permissions needed to administer an Analysis server.
> Local administrators have all of this permissions, so they will be always
> able to administer your analysis server
>
> Francesco Anti
>
> "verbani" <verbani@discussions.microsoft.com> wrote in message
> news:74F964C9-81AC-483D-A6A9- FA10EBD2596E@microso
ft.com...
>
>

verbani

2005-06-23, 9:23 am

Dave,

So if I understand correctly if I delete the olap admin group would it then
be more secure if I also use the SP4?

BTW: There is a version of SQL Server called personal edition. It is
delivered with the entreprise and standard edition. And is meant as an
aditional part of an existing solution to be able to also work offline.

"Dave Wickert [MSFT]" wrote:

> Look in the SP4 release notes, you will see that there is a new registry
> setting which will disable the automatic granting of OLAP Administrator
> permissions for machine administrators. However, it is still not full-proof
> situation because any machine administrator can also add themselves to the
> OLAP Administrators group by-hand. Thus the real bottom line is that there
> isn't a real way to lock out an Administrator -- although with then new
> registry setting you can at least force them to explicitly give themselves
> OLAP Administrator permissions.
>
> BTW: What is "personal edition of Analysis Services"? We have no such
> product. What I think you mean is Developer Edition (which does include a
> license for Analysis Services).
>
> --
> Dave Wickert [MSFT]
> dwickert@online.microsoft.com
> Program Manager
> BI SystemsTeam
> SQL BI Product Unit (Analysis Services)
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Francesco Anti" <fanti_@_sicosbt.it> wrote in message
> news:%23NDAPundFHA.412@tk2msftngp13.phx.gbl...
>
>
>

verbani

2005-06-24, 3:23 am

Dave,

I've installed SP4. (I checked the version of AS after installation, and it
was applied) The registry entry wasn't created automatically so I created it
manually.

But as administrator I can still connect to my cubes? What am I doing wrong?

Regards,
Nico

"Dave Wickert [MSFT]" wrote:

> Look in the SP4 release notes, you will see that there is a new registry
> setting which will disable the automatic granting of OLAP Administrator
> permissions for machine administrators. However, it is still not full-proof
> situation because any machine administrator can also add themselves to the
> OLAP Administrators group by-hand. Thus the real bottom line is that there
> isn't a real way to lock out an Administrator -- although with then new
> registry setting you can at least force them to explicitly give themselves
> OLAP Administrator permissions.
>
> BTW: What is "personal edition of Analysis Services"? We have no such
> product. What I think you mean is Developer Edition (which does include a
> license for Analysis Services).
>
> --
> Dave Wickert [MSFT]
> dwickert@online.microsoft.com
> Program Manager
> BI SystemsTeam
> SQL BI Product Unit (Analysis Services)
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Francesco Anti" <fanti_@_sicosbt.it> wrote in message
> news:%23NDAPundFHA.412@tk2msftngp13.phx.gbl...
>
>
>

Dave Wickert [MSFT]

2005-06-24, 8:23 pm

1) Are you specifically included in the OLAP Administrators group? If so,
then remove yourself. You must have at least *ONE* user specifically in the
OLAP Administrators group -- otherwise no one can administer your machine
since you've removed machine administrators from being also treated as OLAP
administrators by setting this flag in the registry.
2) I believe that you have to reboot for the registry changes to be
recognized by SP4
--
Dave Wickert [MSFT]
dwickert@online.microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"verbani" <verbani@discussions.microsoft.com> wrote in message
news:41BE9BE6-5EEF-4A78-80F6- 883313928427@microso
ft.com...[color=darkred]
> Dave,
>
> I've installed SP4. (I checked the version of AS after installation, and
> it
> was applied) The registry entry wasn't created automatically so I created
> it
> manually.
>
> But as administrator I can still connect to my cubes? What am I doing
> wrong?
>
> Regards,
> Nico
>
> "Dave Wickert [MSFT]" wrote:
>

verbani

2005-06-27, 3:23 am

Dave,

The OLAP Administrators group is deleted. No one must administer these
machines. The only thing that has to be done is to be able to restore an
archive. And view data.

I've tried all. But still no results. I'm working with a virtual machine
to test. Could this be the problem???

Regards,
Nico

"Dave Wickert [MSFT]" wrote:

> 1) Are you specifically included in the OLAP Administrators group? If so,
> then remove yourself. You must have at least *ONE* user specifically in the
> OLAP Administrators group -- otherwise no one can administer your machine
> since you've removed machine administrators from being also treated as OLAP
> administrators by setting this flag in the registry.
> 2) I believe that you have to reboot for the registry changes to be
> recognized by SP4
> --
> Dave Wickert [MSFT]
> dwickert@online.microsoft.com
> Program Manager
> BI SystemsTeam
> SQL BI Product Unit (Analysis Services)
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "verbani" <verbani@discussions.microsoft.com> wrote in message
> news:41BE9BE6-5EEF-4A78-80F6- 883313928427@microso
ft.com...
>
>
>

Sponsored Links