How do you reset the sa password?
You can follow the steps mentioned in the link below to reset the SA password:
- Disaster Recovery: What to do when the SA account password is lost in SQL Server 2005
Steps summarised below:
- Open SQL Server Configuration Manager from Start Menu > Programs > Microsoft SQL Server 20xx > Configuration Tools > relevant to the newest version of SQL Server you have installed (e.g. if you have 2005 and 2012 installed, use the 2012 version). Don't have a Start Menu? On Windows 8's Start screen, start typing SQL Server Con... until it shows up.
- Stop the SQL Server instance you need to recover by right-clicking the instance in SQL Server Services and selecting "Stop"
- Right-click the instance you just stopped, click Properties, and in the “Advanced” tab, in the Properties text box add “;–m” to the end of the list in the “Startup parameters” option (on newer versions, you can go directly to the "Startup Parameters" tab, type "-m" and click Add, without worrying about the syntax, the semi-colon, or anything else).
- Click the “OK” button, and restart the SQL Server Instance
- After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication. You can use Transact-SQL commands such as "sp_addsrvrolemember" to add an existing login (or a newly created one) to the sysadmin server role.
The following example adds the account "Buck" in the "CONTOSO" domain to the sysadmin role:
EXEC sp_addsrvrolemember 'CONTOSO\Buck', 'sysadmin';Once the sysadmin access has been recovered, remove the “;-m” from the startup parameters using the Configuration Manager and restart the SQL Server instance one more time.
NOTE: make sure there is no space between “;” and “-m”, the registry parameter parser is sensitive to such typos. You should see an entry in the SQL Server ERRORLOG file that says “SQL Server started in single-user mode.”
Additional resources:
- Connect to SQL Server When System Administrators Are Locked Out
- Leveraging Service SIDs to Logon to SQL Server 2012 and SQL Server 2014 Instances with Sysadmin Privileges
- Recover access to a SQL Server instance using PsExec
Ultimately, you could always copy the database files to another instance, or even reinstall SQL Server (adding a local account as sysadmin during that process).
What you do will depend on your SQL Server version, as well as whether you can afford to take the SQL Server service down in order to establish new credentials. The first two methods here do not require restarting the instance:
For SQL Server 2005, 2008, and 2008 R2 instances
You can connect using the NT AUTHORITY\SYSTEM account (or other backdoor methods). There are some details in some of the answers here:
- How to add sysadmin to user in SQL Server 2008 when no sysadmin accounts exist
I also have a tip over on MSSQLTips.com that addresses this problem:
- Recover access to a SQL Server instance
Essentially, you download PSExec from Microsoft, then use it to launch Management Studio once you have it installed:
PsExec -s -i "C:\...\Ssms.exe"
This will connect as NT AUTHORITY\SYSTEM and will allow you to do things in Object Explorer, like:
Change the instance to SQL Server and Windows Authentication mode - right-click the Server name, hit properties, and change the radio button if it's currently set to Windows only:
Set the password for the
saaccount - expand Security, expand Logins, right-clicksaand hit Properties, and in the resulting dialog there will be two password entry fields:
Add your own login as a
sysadmin- right-click Logins, New Login... enter your login name (in the formDOMAIN\username) then move to the Server Roles tab and check thesysadminbox and click OK:
(or, if your login is already listed, right-click, Properties, and make sure
sysadminis checked under Server Roles)
For SQL Server 2012 and newer instances
Starting with SQL Server 2012, NT Authority\SYSTEM was no longer given rights to SQL Server by default. So another way to do that in these newer versions has been detailed by Argenis Fernandez:
If the SQL VSS Writer service is running, stop it, and suspend all maintenance plans or 3rd party backup software that might rely on it.
Open
regedit.exeand change the value ofHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SQLWriter\ImagePathto point toSQLCMD.exe, which is going to be inC:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\**<...110|120|130|140...>**\Tools\Binn. After editing, the registry value should look something like the following (sorry for the scrolling):"C:Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\SQLCMD.exe" -S .\instancename -E -Q "ALTER ROLE sysadmin ADD MEMBER [YourDomain\YourUserName];"Try to start the SQL VSS Writer service again (you'll get an error; that's okay).
You should now be able to connect as
sysadminusingYourDomain\YourUserName. So stop the SQL VSS Writer service, fix the registry, and restart the service (if you need it to be running, or if it was running before you started this).
I've gone through this in a lot more detail in a second tip:
- More on Recovering Access to a SQL Server Instance
Though when I wrote that tip I used a more cumbersome approach of making a copy of SQLCMD.exe and replacing sqlwriter.exe - much easier to just point the service at SQLCMD.exe directly.
If you can afford to take the SQL Server service down
There is an officially supported path from Microsoft that requires restarting the instance in single user mode:
- Connect to SQL Server When System Administrators Are Locked Out
There is also a function in dbatools.io, a Powershell solution for managing SQL Server, called Reset-DbaAdmin:
- https://docs.dbatools.io/#Reset-DbaAdmin
Security is not the main issue here
I see plenty of people calling for Microsoft to "fix" these so-called "vulnerabilities." These are valid approaches to recovering access to an instance of SQL Server that you rightfully own. They all require elevated privileges on the physical host where SQL Server resides; as I've said to several people, if you don't want developers messing with SQL Server installations, don't make them administrators.