Friday, February 24, 2012

Changing lost SA password

I just started a new job and no one seems to know the SA password.
Here's my plan to change it:

1. I've run a trace for a couple of days to verify that there are no
jobs or processes that are connecting as SA and that would break if I
changed the password.

2. Before the changing the password I am going to bulk copy out the
sysxlogins row for SA so that if things go wrong I can reinset the old
data with the old unknown password (will that work?).

3. Log on to the console as Windows administrator and changing the SA
password.

Does that make sense? Anyone have any other suggestions?

Thanks.<patrickshroads@.hotmail.com> wrote in message
news:1108157543.004606.300840@.l41g2000cwc.googlegr oups.com...
>I just started a new job and no one seems to know the SA password.
> Here's my plan to change it:
> 1. I've run a trace for a couple of days to verify that there are no
> jobs or processes that are connecting as SA and that would break if I
> changed the password.
> 2. Before the changing the password I am going to bulk copy out the
> sysxlogins row for SA so that if things go wrong I can reinset the old
> data with the old unknown password (will that work?).
> 3. Log on to the console as Windows administrator and changing the SA
> password.
> Does that make sense? Anyone have any other suggestions?
> Thanks.

Assuming you've tested that the Windows Administrator account does have
sysadmin rights in MSSQL (it does by default), then you'll be able to change
the password with no problems - the only issue would be an application or
script that has the old password coded into it. But at least if something
does stop working, you know you've found a security issue which should be
fixed urgently.

As for going back to the old password, modifying data in system tables
directly is usually a bad idea and not supported by Microsoft (see "allow
updates Option" in Books Online), so if you update sysxlogins directly and
things go wrong, you'll probably have to restore master from a backup. But
it would almost certainly be better to fix whatever is using the old
password rather than messing with sysxlogins. If possible, I would set a
very strong sa password, change the server from mixed mode to Windows
authentication only, and forget about the sa login, but I appreciate that
that isn't always an option.

Simon

Posted by Temika at 1:56 AM
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)