I am working with a SQLServer installation where all public permissions
have been revoked from the system.

I currently hold the securityadmin and sysadmin roles to perform my
logicall access control work (creating logins and adding users to
databases and changing group memberships.)

There has been a question as to whether or not I need the sysadmin role
to do my job, so we tried an experiment in dropping the sysadmin role
from my id.

With no public permissions, I see no user information on the server,
which really limits my ability to do the job.

Has anyone ever worked with a super-locked-down server without the
sysadmin role for doing security admin work?

What I'm looking for is hopefully SQL to perform the access privileges
needed for the security admin role by itself.

Thanks in advance!

I'm not sure what you mean by "see no user information" - securityadmin
is at the server level, so it's used for managing logins.
sp_helplogins, sp_grantlogin etc. are all executable by securityadmin,
so you should be able to view and manage the logins.

At the database level, you need to be in db_accessadmin for the
databases where you need to manage users. sp_helpuser is executable by
public, sp_grantdbaccess is executable by db_accessadmin.

Perhaps you can give some more details of exactly what information you
can't retrieve, and what operations you can't perform?

Simon

If an object has PUBLIC permissions, it ws removed. DBArtisan
complains loud and long about tables in master that it cannot access.
We've set up a sandbox instance and yanked everything. We're now
working backwards so that I have access as required to get DBArtisan to
work.

Lots of tweaking.