sp_Blitz® Result: Database Owners <> SA

When databases are created, the owner defaults to whoever created it.  This ownership gives the creator additional permissions, and this can be a problem in a locked-down secure environment where we need to honor the principle of least privilege.

This part of our SQL Server sp_Blitz script checks sys.databases looking at the owners.  It was contributed by Ali Razeghi.

To Fix the Problem

In a perfect world, you’d take the time to fully understand the principle of least privilege. Read Andreas Wolter’s post on who should be the database owner, and check out Denny Cherry’s book Securing SQL Server for more details.

Most shops end up using SA as the owner because it’s the easiest way to avoid ownership problems when the owner name no longer exists. This is not best practice – but there’s no short answer for best practice.

If you decide you want to make SA the owner on a database, run this T-SQL command:

ALTER AUTHORIZATION ON DATABASE::ReplaceThisWithYourDatabaseName to sa;

After the change, your server will be more secure – but users may be accustomed to doing things they no longer have permission to do.  Check with the former database owner to make sure everything continues to work.

To Fix the Problem Long Term

Andreas Wolter added a Connect item for a special database owner principal. Vote for it here.

Return to sp_Blitz or Ask Us Questions

css.php