As a SQL Consultant there have been a number of times where I have had to gain ‘emergency access’ to a SQL Server installation. This can be because a previous DBA has not documented login details, a server has always been around and no-one is sure exactly what it does, or because all staff with administrator rights have left the company. On several occasions I have had to resolve an issue where a junior DBA or staff member has removed sysadmin rights from the BUILTINAdministrators group without realizing that this was the very group they were gaining their sysadmin rights from (Yes, SQL Server let’s you drop your own sysadmin rights, and once you’ve done it you can’t undo it under your own credentials!).
Regardless of the reason if you need emergency access to a server, there is an easy way and a hard way. There’s also a really easy way, but it does rely on the stars being aligned in a certain fashion, or more precisely the server being configured in a particular fashion.
The Really Easy Way
In SQL Server 2005 the BUILTINAdministrators group was automatically assigned full system administrator rights within SQL Server. This was considered something of a security hole and in most cases the rights were removed by the DBA’s looking after the servers. However it’s possible the SQL instance you are looking at is a default install of 2005, has been upgrade from a default install, or has had the logins transferred from one. So the first thing to try is simply to add your account in as a local administrator on the windows server and attempt to log in to SQL Server. You might get lucky.
The Easy Way
If the really easy way fails, you are left with the easy way and the hard way. Let’s start with the easy way, because it’s…well…easier. The downside of the easy way is that it requires a server restart. If you can’t restart the server then I’m afraid you’ll have to do things the hard way.
The easy way is documented in this Microsoft article and simply involves restarting the SQL Server in single user mode and then logging in. When logging in to single user mode any member of the local administrator group on the windows server will also have system administrator rights within SQL Server. It’s basically a more secure method of the BUILTINAdministrator method described above.
The Hard Way
Finally we come to the hard way. The hard way makes use of the fact that the NT Authority System login is automatically given administrator rights in a SQL instance. Again this can sometimes be removed by a protective DBA, but there’s less reason to than with BUILTINAdministrators as this method is far less well known and also requires a deliberate attempt to gain sysadmin rights. You can’t accidently follow this process whereas there are a number of reasons for adding a login to the local administrators group.
- Open up notepad and enter the following text.
sqlcmd.exe -S MYSQLSERVER -q “Exec sp_addsrvrolemember ‘BUILTINAdministrators’, ‘sysadmin’;”
‘MYSQLSERVER’ needs to be replaced with the name of your SQL instance. Now save this as type ‘all files’ with an extension of ‘.cmd’. You’ve just created a batch file that if run will add the group ‘BUILTINAdministrators’ to the system administrator role. Of course, if you run that file it will fail, because you don’t have the rights to do that just yet.
- So, to run it as NTAUTHORITY SYSTEM we need to make use of the ‘AT’ command. Schedule a task to run your file by doing the following:
- Open a command prompt(cmd at the run menu). You may need to do this as an administrator.
- Type the following: at 16:30 /interactive “C:tempsqladmin_restorer.cmd” – Obviously substitute the path and filename for your own file.
2. This job will pop up on your screen at 4:30pm letting you know the batch file has run. The BUILTINAdministrator should now be a member of the sysadmin role, and anyone set up as a local administrator will have full sql admin access.
All three of these methods do rely on you having local administrator rights on your SQL Server machine. The first 2 methods are built in functionality from Microsoft. It’s only the final method which is a true workaround.