user – Dave Bland

Over the years I have had to provide information about logins and database users, most of the time per a request of an auditor. Many times, this is very easy to accomplish because the login name matches the name of the database user account. If you look at the “New User” screen you can see that I am able to enter a different User Name.

Because of this, I can have a User Name that doesn’t match the Login Name. From an audit perspective this can create some confusion. More importantly, it can make it difficult to provide accurate information to the auditors when asked.

In order to connect a database user to a login we will need to use the SID, Security Identifier. When you create a login on a SQL Server, SQL Server creates a SID, sometimes. So what do I mean sometimes? Well, if the login is a SQL login, SQL Server will create the SID, however if the login is an Active Directory user or group, the SID will the be same as the SID in Active Directory.

In order to find the SID we will need to use Syslogins. There is quite a bit of information in this view, however for this purpose we really only need two columns, SID and Name.

SELECT sid
, name
FROM syslogins

If you run the above query your results will look similar to what is below. In this case we are going to use an account names “BlogAcct”.

In order to get the SID for a user account we would run the following query in the database with the user account. The results are just below it.

SELECT sid
, name
FROM sys.sysusers

If you thought the SID looks familiar you would be correct. The SID is the same as the login mentioned above. However, if you notice, the names are different. This login name is BlogAcct, while the User Account is Fred. Yet both have the same SID. So what does this mean? It means that the User Account Fred is mapped to the Login BlogAcct.

If you run this query in the database you are looking for the mapped logins, you will get a result set similar to the image below the query.

SELECT u.sid AS ‘DatabaseUserSID’
, u.name AS ‘DatabaseUserName’
, l.name AS ‘LoginName’
, l.sid AS ‘LoginSID’
FROM sys.sysusers u
INNER JOIN master..syslogins l
ON u.sid = l.sid

Notice that the SIDs match, but the names do not. If you were to run this code against a production database, you will probably see a much large data set. This would also return accounts that have matching names as well. If you want to only find the user accounts that have different names from the login, you will need to add a WHERE clause. Similar to below.

When you do run this, you will see something that might be unexpected. The SA login comes back as having the same SID as the DBO. This is showing that the SA login is mapped to the dbo user account for all databases.

Hopefully this might make it easier when auditors come knocking at your door looking for accounts with database access. This query will also work for AD groups as well.

Thanks for visiting my blog!

In my many years of working as a DBA, I have encountered many disabled logins. However, I have never really encountered what looks to be a disabled database user account. I didn’t even think it was possible to disable a user account in a SQL Server database. I checked the user account properties just to makes sure I was correct. Sure enough, no option to disable a user account. This finally turned out to be a simple case of looks can be deceiving.

When we first received the call that a user was having an issue, we asked what was the error. This is what we were sent:

For the purpose of this blog, we will be using a SQL login named, testuser.

My first thought was maybe a permissions issue. I very quickly realized that it was something else.

The first thing I did was look at the properties of the login. This clearly showed that the login had access to a few databases, except the one related to the reported error, 1GBDB. As you can see below, it looks like the login doesn’t have access into the database.

However, if you look at the users in the database, you can see that the account does indeed exist in the database. As you can see below.

Of course the red “x” on the user account was a bit suspicious, we will get into that in a bit. One of the items I checked was if we have an orphaned account. So I check the SIDs for the login and the user account using these queries.

SELECT sid, name
FROM sys.syslogins
WHERE name = ‘testuser’

SELECT sid, name
FROM sysusers
WHERE name = ‘testuser’

Here are the results.

As you can see, the SIDs for both the user account and the login are the same. So that rules out an orphaned account.

I still couldn’t figure out why they user couldn’t get into the database. That red ‘x” was still bothering me. After some checking, I discovered there was something different about the user account in this database, 1GBDB, when compared to the same user accounts in different databases.

Database Permission properties for the 1GBDB, which the user cannot connect to.

This the a screenshot of the database permissions for the AdventureWorks2014 database, which the user can get to.

There is one important difference, the Connect permissions. If you remove the “Connect” permissions from a user account in a database that has a corresponding login, you will see this.

Once you grant the Connect permissions for the user account, the red “x” goes away and all should be good. Unless of course there are other issues.

Thanks for stopping by and I hope you learned something!

Tag: user

Disabled Database User?