SQL Server Security

Question

question

Sagar Bhargava asked May 10, '17

SQL Server Security

Hi, I have a user who is able to connect to a database but I dont see the login on the server or in the database. The database has only 4 logins (3 AD groups and 1 SQL Login). The AD groups do not have any logins added at present and the SQL Login has db_reader permission on the database. The user is able to create / modify objects. Other AD groups on the server do not have the user login added. This is something which I cannot explain so if anyone can provide more information on how I can find out whats happening, would be great. I am using SQL Server 2012 SP3 CU8 on Windows 2012 R2. Thanks.

security permissions

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

nidheesh.r.pillai commented · May 10, 2017 at 08:53 AM

" The AD groups do not have any logins added at present " - How did you verify this?

0 ·

JohnM commented · May 10, 2017 at 01:24 PM

Are the databases contained?

0 ·

Sagar Bhargava commented · May 10, 2017 at 11:13 PM

@nidheesh - I used the xp_logininfo and I have access to AD server so I can login and check the groups as well. @JohnM - No, it is not a contained database. The database is on a 3 node failover cluster where we have an availability group setup but this database is not a part of it.

0 ·

Answer 1 · 2017-05-10T11:33:51Z

Jeff Moden answered May 10, '17

Use xp_LoginInfo 'adgroupnamehere', 'members' to see who is in each AD group. Don't forget about special groups such as the 'BUILTIN\Administrators' account, etc, etc.

1

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sagar Bhargava commented · May 10, 2017 at 11:14 PM

Yes, I checked this and could not find any logins.

0 ·

question