Locking Down SQL 2005

i'm not sure best way lock down sql server 2005. added login group maps ad group. group mapped public role , problem in group can manage server right-clicking , selecting properties. understanding allowed control server permissions removing doesn't allow them logon server anymore. there way allow people connect server not manage it?

thanks!

by default when give login public fixed server role, has the server permission of "connect sql". it should not have control server permission sysadmin. since can change server settings, it that the logins belong existing built-in admin group.  besides lekss mentioned, recommend you run following query check details:
1. check principal's id, run
select * sys.server_principals

2. check detailed server permission, run
select * sys.server_permissions

pay attention following columns in output: class_desc, grantee_principal_id, permission_name , state. 
http://msdn.microsoft.com/en-us/library/ms186260.aspx

if any of logins have control server permission, can issue revoke command as following revoke permission:
revoke control server login_principal_name

if after revoke control server permission, find not log on sql server instance, can use grant grant connect sql it:
grant connect sql login_principal_name

and make sure has connect sql server permission in sys.server_permissions. please aware not issue deny control server login cause login failed connect sql server instance. if issued deny statement, issue revoke revoke it.

for more information, can refer to:
deny server permissions
http://msdn.microsoft.com/en-us/library/ms182763.aspx
grant server permissions
http://msdn.microsoft.com/en-us/library/ms186717.aspx
revoke server permissions
http://technet.microsoft.com/en-us/library/ms186308.aspx

---

please remember mark replies answers if , unmark them if provide no help

SQL Server  >  SQL Server Security