I’m trying to drop all the logins from SQL server except the default built-in SQL server logins but I’m unable to drop the “administrator” account. It gives me an error :
“Server principal ‘administrator’ has granted one or more permission(s). Revoke the permission(s) before dropping the server principal.”
I tried checking the permission assigned to this user using this query :
Select *
from sys.server_permissions
where grantor_principal_id =
(Select principal_id
from sys.server_principals
where name = N'<domain>administrator')
This query returns only one record corresponding to an end point as below :
class class_desc major_id minor_id grantee_principal_id grantor_principal_id type permission_name state state_desc 105 ENDPOINT 65536 0 269 259 CO CONNECT G GRANT
But when I try to check the rights assigned to this user on any of the existing end points using object explorer I find none have any kind of permissions for the user I’m trying to delete.
I’m not sure what is happening and where to look for to drop this user. Any help will be greatly appreciated.
Advertisement
Answer
I was able to solve this issue. There were following two issues which were not allowing me to drop the “administrator” login from sql server:
- Owner of “ReportServer” and “ReportServerDB” was found to be ”administrator” user
- Owner of “ConfigMgrEndPoint” end point was found to be “administrator” user.
I changed both of them to “sa” user and then I was successfully able to drop the user. I also got following expert comment from one of my colleagues who was helping me with this issue :
Keeping [sa] as a default owner for most sql object is a good practice. Making a domain user as owner of SQL objects can affect the working later on if that user no longer exists in Active Directory in future.