Deny Create Database

User is an NT Administrator and has been made a member of Server Role sys
admin.
I'm not in the master database in query analyzer.
When I do this:
Deny Create Database
To User
I get the following message:
CREATE DATABASE PERMISSION CAN ONLY BE GRANTED IN THE MASTER DATABASE
How do I alter the SQL statement to refer to the master database?
Thanks for any help.Run:
use master
before you run the DENY.
Tom
---
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON Canada
www.pinnaclepublishing.com/sql
"Scotty" <scasti1@.cox.net> wrote in message
news:4B307CF8-97A3-41ED-9F3E-ABB130C8C525@.microsoft.com...
User is an NT Administrator and has been made a member of Server Role
sysadmin.
I'm not in the master database in query analyzer.
When I do this:
Deny Create Database
To User
I get the following message:
CREATE DATABASE PERMISSION CAN ONLY BE GRANTED IN THE MASTER DATABASE
How do I alter the SQL statement to refer to the master database?
Thanks for any help.|||Thanks, but trying to mimic a process all in one place, and the analyzer may
not be the best place to do this. I could do it from a test web page but f
amiliarizing myself with Analyzer environment.
In a web environment, I know I would have to connect to the master database
to issue this command.
However, is there an 'automated' way to switch to that database in the Query
Analyzer so that I can put the code
in the same test file rather than having to run another instance of the Anal
yzer just for that? I would rather comment out a few lines that I am not te
sting at that moment rather than switch back and forth from instance to inst
ance.
Is there a command that I can put in the body of the analyzer sql script to
switch? Sorry. Kind of new at this. All of the lines in this test file do
n't have to be run on Master anyway since they are adding users to specific
databases or they are addin
g server roles which can be added from anywhere, so if I used a separate tes
t file, it would have only these two lines in it anyway.
So is there a command to switch databases that I can place in the Analyzer s
cript? In the meantime, I'll go with your answer, and thanks very much for
your prior reply.|||If you are using Query Analyzer to run a script, then the only way to
guarantee that you are in a particular database is to issue a USE command.
So, if you are running a script from within QA, and you want to be sure you
are in master, then ensure you have the following:
use master
go
-- do something
I'm not sure I understand what the issue is. You don't need separate
instances of QA or anything like that.
Tom
---
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON Canada
www.pinnaclepublishing.com/sql
"Scotty" <scasti1@.cox.net> wrote in message
news:459B2889-43EB-4940-9D24-F74F7462ADCC@.microsoft.com...
Thanks, but trying to mimic a process all in one place, and the analyzer may
not be the best place to do this. I could do it from a test web page but
familiarizing myself with Analyzer environment.
In a web environment, I know I would have to connect to the master database
to issue this command.
However, is there an 'automated' way to switch to that database in the Query
Analyzer so that I can put the code
in the same test file rather than having to run another instance of the
Analyzer just for that? I would rather comment out a few lines that I am
not testing at that moment rather than switch back and forth from instance
to instance.
Is there a command that I can put in the body of the analyzer sql script to
switch? Sorry. Kind of new at this. All of the lines in this test file
don't have to be run on Master anyway since they are adding users to
specific databases or they are adding server roles which can be added from
anywhere, so if I used a separate test file, it would have only these two
lines in it anyway.
So is there a command to switch databases that I can place in the Analyzer
script? In the meantime, I'll go with your answer, and thanks very much for
your prior reply.|||I have been using separate instances of QA so I can use sa in one instanc
e to issue permissions and then see the effects of the issued permissions
by having a lower level user run sql commands in the second instance (i.e. s
econd instance logged in as
Low Level Windows user).
Thanks for the use Master go.
I'm sure it will work, and I appreciate it.
Scott|||Works great, but one thing I noticed:
Even though the commands take fine and the syspermission table record cou
nt changes as you would expect (master file), the command will not turn off
create database for a user in the sysadmin role or for a user who is not in
the sysadmin role but who i
s in the db_creator role.
So it doesn't seem to work at all. I know for a db_owner (non-sysadmin) you
have to turn on database creation after the fact, not turn it off, as I am
testing, so it does not apply in that instance.
So I'm trying to find a combination where Deny Create Database actually work
s where it would make sense. It makes sense that you might want to turn it
off for an administrator. Can't get it to work.|||Alternatively, you can send the default database to master.

>--Original Message--
>If you are using Query Analyzer to run a script, then the
only way to
>guarantee that you are in a particular database is to
issue a USE command.
>So, if you are running a script from within QA, and you
want to be sure you
>are in master, then ensure you have the following:
>use master
>go
>-- do something
>I'm not sure I understand what the issue is. You don't
need separate
>instances of QA or anything like that.
>--
>Tom
>----
--
>Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
>SQL Server MVP
>Columnist, SQL Server Professional
>Toronto, ON Canada
>www.pinnaclepublishing.com/sql
>
>"Scotty" <scasti1@.cox.net> wrote in message
>news:459B2889-43EB-4940-9D24-F74F7462ADCC@.microsoft.com...
>Thanks, but trying to mimic a process all in one place,
and the analyzer may
>not be the best place to do this. I could do it from a
test web page but
>familiarizing myself with Analyzer environment.
>In a web environment, I know I would have to connect to
the master database
>to issue this command.
>However, is there an 'automated' way to switch to that
database in the Query
>Analyzer so that I can put the code
>in the same test file rather than having to run another
instance of the
>Analyzer just for that? I would rather comment out a few
lines that I am
>not testing at that moment rather than switch back and
forth from instance
>to instance.
>Is there a command that I can put in the body of the
analyzer sql script to
>switch? Sorry. Kind of new at this. All of the lines
in this test file
>don't have to be run on Master anyway since they are
adding users to
>specific databases or they are adding server roles which
can be added from
>anywhere, so if I used a separate test file, it would
have only these two
>lines in it anyway.
>So is there a command to switch databases that I can
place in the Analyzer
>script? In the meantime, I'll go with your answer, and
thanks very much for
>your prior reply.
>|||Looks like you need to re-think your strategy. If you're in db_creator, you
can create a database. If you want to ensure they can't do it - keep them
out. A sysadmin role member can do anything, so a DENY isn't going to work
here. It's best to look at what they really need and give them only those
permissions or roles. That way, you won't need to use DENY.
Tom
---
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON Canada
www.pinnaclepublishing.com/sql
"Scotty" <scasti1@.cox.net> wrote in message
news:3E662297-270F-4F7B-AE8A-D0E9215E9E83@.microsoft.com...
Works great, but one thing I noticed:
Even though the commands take fine and the syspermission table record
count changes as you would expect (master file), the command will not turn
off create database for a user in the sysadmin role or for a user who is not
in the sysadmin role but who is in the db_creator role.
So it doesn't seem to work at all. I know for a db_owner (non-sysadmin) you
have to turn on database creation after the fact, not turn it off, as I am
testing, so it does not apply in that instance.
So I'm trying to find a combination where Deny Create Database actually
works where it would make sense. It makes sense that you might want to turn
it off for an administrator. Can't get it to work.