SQL Server 2008: Permission Denied When Adding User to sysadmin Role Despite Local Admin Rights


2 views

Many DBAs encounter this frustrating scenario: You're logged into SQL Server Management Studio (SSMS) with Windows credentials that belong to the local administrators group, yet you can't assign yourself to the sysadmin server role. The error typically appears as:

Msg 15151, Level 16, State 1, Line 1
Cannot alter the login 'DOMAIN\user', because it does not exist or you do not have permission.

Contrary to expectations, local machine administrator privileges don't automatically translate to SQL Server system administrator rights. SQL Server maintains its own security hierarchy independent of Windows local admin groups unless explicitly configured otherwise.

Here's how to regain control when locked out of sysadmin privileges:

-- Method 1: Using SQLCMD in single-user mode
1. Stop SQL Server service
2. Run from command prompt:
   sqlservr.exe -m -s MSSQLSERVER
3. In another window:
   sqlcmd -S .\MSSQLSERVER
   CREATE LOGIN [DOMAIN\user] FROM WINDOWS
   GO
   ALTER SERVER ROLE sysadmin ADD MEMBER [DOMAIN\user]
   GO

Alternatively, for less disruptive solutions:

-- Method 2: If you have any sysadmin account access
EXEC sp_addsrvrolemember 'DOMAIN\user', 'sysadmin'
GO

-- Method 3: Via PowerShell when no GUI access works
Import-Module SQLPS -DisableNameChecking
$svr = New-Object Microsoft.SqlServer.Management.Smo.Server("(local)")
$svr.Roles['sysadmin'].AddMember("DOMAIN\user")
$svr.Alter()

To avoid this situation in new installations:

-- During SQL Server setup:
1. In "Server Configuration" tab
2. Specify all required admin accounts in "Specify SQL Server Administrators"
3. Verify mixed authentication mode is enabled

When all else fails, consider these workarounds:

  • Use the dedicated administrator connection (DAC) via sqlcmd -A
  • Temporarily grant securityadmin role to create logins
  • Check for orphaned SIDs with sp_validatelogins

When working with SQL Server 2008 Management Studio, you might encounter a frustrating situation where you can't add your Windows account to the sysadmin role despite having local administrator privileges. The error typically appears when:

1. Right-clicking your login under Security/Logins
2. Selecting Properties
3. Navigating to Server Roles tab
4. Checking sysadmin checkbox
5. Receiving "You do not have sufficient permission" message

Here's the crucial detail many administrators miss: being a local Windows administrator doesn't automatically grant you sysadmin privileges in SQL Server. The two security systems operate independently.

The SQL Server service account determines the initial sysadmin members during installation. By default, only:

  • The SQL Server service account
  • The Windows account that installed SQL Server
  • Members of the BUILTIN\Administrators group (if added during setup)

get sysadmin privileges.

If you absolutely need sysadmin access immediately, you can restart SQL Server in single-user mode:

sqlservr.exe -m

Then connect using SQLCMD and run:

CREATE LOGIN [DOMAIN\user] FROM WINDOWS;
GO
EXEC sp_addsrvrolemember 'DOMAIN\user', 'sysadmin';
GO

For a more sustainable solution, follow these steps:

-- First verify your current permissions
SELECT IS_SRVROLEMEMBER('sysadmin') AS IsSysAdmin;

-- If NULL or 0 returned, you'll need existing sysadmin to run:
USE [master]
GO
GRANT CONTROL SERVER TO [DOMAIN\user];
GO

Rather than adding individual accounts to sysadmin, consider these alternatives:

-- Create a Windows group for DBAs
CREATE LOGIN [DOMAIN\SQL_DBAs] FROM WINDOWS;

-- Add the group to sysadmin
EXEC sp_addsrvrolemember 'DOMAIN\SQL_DBAs', 'sysadmin';

-- Then manage membership through AD

Note that newer SQL Server versions changed this behavior. Starting with SQL Server 2012, local administrators aren't automatically added to sysadmin during installation due to security improvements.