Builtin\Administrators cannot login in to SQL Server

If you add a windows login to administrators group and even though administrators group is part of SQL Server login you may not be able to login in to SQL Server using the windows login.

Similarly

1. You remove a windows login from a windows group and assume windows group is part of SQL server login had deny on certain objects in database.

2. Now you add the windows login explicitly to SQL Server logins and grant permissions on objects which had deny for windows group. Still the login will not be able to access the objects which have deny for the group and may raise 229 similar to one below

{The SELECT permission was denied on the object ”, database mssqlsystemresource’, schema ‘sys’. (Microsoft SQL Server, Error: 229) }

This can happen when SQL is creating the logintoken from LSACache. (LSA Cache is not refreshed after the Admin2 is added to Administrators group)

1. Disable LSACache on the machine. Steps are included in http://support.microsoft.com/kb/946358.
2. Restart the machine.
3. Connect using the problematic login and try again.

2 thoughts on “Builtin\Administrators cannot login in to SQL Server”

karlshead04 | May 17, 2017 at 7:19 am

Very good info. Lucky me I ran across your blog by chance (stumbleupon). I have saved it for later!

omadanielson09 | July 10, 2017 at 10:32 am

Howdy! I’m at work browsing your blog from my new iphone! Just wanted to say I love reading through your blog and look forward to all your posts! Carry on the great work!