Problem in detecting orphaned user on database.

Question

question

Sharma asked Jun 8, '12

Problem in detecting orphaned user on database.

This is database restore case(MSSQL2005 to MSSQL 2008) in that database is restored from one server to another server and while checking orphaned user by command “sp_change_users_login 'report'” for few users it does not show report even these are orphaned user because these have no mapping login available on server. On user properties Login box is blank but in sysusers table field islogin is true, not understand in which case it happened and why these user are not showing in orphaned user report. Please let me know if you required any other details. ![users][1] [1]: http://ask.sqlservercentral.com/storage/temp/222-User+Properties.jpg

sql-server-2008 sql-server-2005 login users orphaned-users

User Properties.jpg (66.0 KiB)

1

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Blackhawk-17 commented · Jun 08, 2012 at 02:55 PM

Does the user have a login associated in the source dB?

0 ·

Answer 1 · 2012-06-08T13:08:48Z

Usman Butt answered Jun 8, '12

`sp_change_users_login 'report'` neither would report for the users which are created without any login i.e. CREATE USER username WITHOUT LOGIN, nor would report the users which are created from Windows User. Moreover, sp_change_users_login is already marked as deprecated in SQL 2008, so a better way would be to use `sys.database_principals` system VIEW and afterwards use `ALTER USER` for mapping EDIT1: -- Finding SQL users without login SELECT * FROM sys.database_principals WHERE DATALENGTH(sid) >= 28 -- users mapped to logins have a 16 bytes SID, -- users without login have a length of ~28 bytes AND sid NOT IN ( SELECT sid FROM sys.server_principals ) -- No login with a matching SID AND type = 'S' -- Only SQL users AND principal_id > 4 -- filter system (well-known) principals go -- Finding orphaned SQL users SELECT * FROM sys.database_principals WHERE DATALENGTH(sid) 4 -- filter system (well-known) principals go -- Finding orphaned users created from Windows Login SELECT * FROM sys.database_principals WHERE sid NOT IN ( SELECT sid FROM sys.server_principals ) -- No login with a matching SID AND (type = 'U' --WINDOWS_USER --OR type = 'G' --WINDOWS_GROUP ) AND principal_id > 4 -- filter system (well-known) principals go

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Usman Butt commented · Jun 08, 2012 at 01:32 PM

User without login have many uses. Users without login can be used to test if the application works with minimum permissions. They are also can be a replacement for application roles when combined with the optional "WITH NO REVERT" or "WITH COOKIE" clauses. The main advantage of using users without logins rather than approles is that permission to impersonate is based on permissions and not on a password, eliminating the need to share a password that most likely will be hardcoded into an application. Now I have edited my answer once again to show the difference between users without login and orphaned user.

4 ·

Sharma commented · Jun 08, 2012 at 01:15 PM

Sorry am changing the toping but what is use of creating user without login. In mine case sysusers table islogin field is showing true.

0 ·

Usman Butt commented · Jun 11, 2012 at 10:19 AM

I have edited my response a bit against the Windows Users.

0 ·

Answer 2 · 2012-06-08T12:59:25Z

ASHOK 1 answered Jun 8, '12

check this link,if it resolve this issue.. http://support.microsoft.com/kb/246133 check and reply back..

1

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sharma commented · Jun 08, 2012 at 01:03 PM

Thanks Ashok, but mine concern is not with login transfer. Have issue with orphaned users which is not detecting by system SP.

0 ·

question