SQL Server Users - sql

Disclosure: I am not an IT professional and I am certainly not a DBA.
That said, I can usually find my way around. I am following some instructions from a third party vendor to create a login, two databases, a user in each and ultimately a DSN to each.
Here are the steps:
Create a login (let's call it Test) with SQL Server Authentication and assign it a Public server role
Create two databases, both owned by the login we created (Test)
In each database, create a user with User Name and Login Name both set to Test and the default schema as dbo. Assign each user db_owner in Owned Schemas and Membership
Create a DSN to each database
If I follow these instructions, when I attempt to create the users I get an error: The login already has an account under a different user name. (Microsoft SQL Server, Error: 15063)
If I try creating a user with a different User Name (login name still Test), I get the same error.
If I try creating a user with a different Login Name, I get a different error: 'Test1' is not a valid login or you do not have permission. (Microsoft SQL Server, Error: 15007)
If I try skipping the users entirely and creating the DSN with the original Login, I get an error that login failed for user Test.
I have tried completely removing and re-installing SQL Server in case there was some duplicate name stored somewhere, but it didn't help.
So, I am not sure what else I can try. Clearly I am missing something, but I have no idea what.

If the Login owns the database, it's mapped to the user dbo (which stands for "database owner") so you can't create another user for that login.
Normal practice is to have the databases owned by SA or your Windows Login, then you can create the user for the SQL Login and assign whatever permissions you need.

Related

User With Login becomes User without login when restored to a different instance

I have a number of SQL Server logins which are configured on Instance A. These SQL Server logins are explicity mapped to specific databases. These databases therefore have the Login name listed as a user in their security container. When I restore the backups from Instance A into Instance B, the database level user becomes a 'user without login'. The user exists at server level in Instance B and it is not a case of the login being orphaned. It literally becomes a 'SQL user without login' rather than a 'SQL user with login'. Does anybody have any ideas as to how to fix this issue? I have exhausted all my options thus far. Nothing seems to work apart from dropping the user at the database level and adding it to the login at server level for that database. However, I am not in a position to keep doing this as it is part of an automated process.
The problem is that you did not create the logins correctly in Instance B so they have different SIDs than the logins in Instance A. The database users reference the SID and not the login name so while the login name is the same the database user does not see a login with the SID that it was attached to.
So you need to delete the logins from Instance B that are supposed to be the same as the logins from Instance A. Then use sp_help_revlogin from https://support.microsoft.com/en-us/help/918992/how-to-transfer-logins-and-passwords-between-instances-of-sql-server to copy those logins over to Instance B.
You only need to create the sp_hexadecimal and sp_help_revlogin stored procedures on the instance that you are copying logins from but it doesn't hurt to have it on all of your instances.

Give DBAdmin access on multiple DB's

I am trying to provide DBAdmin privilege for a user on multiple databases.
I know how to do from on premises SQL database, I can directly map the user to required databases.
Can anyone let me know how to do it in Azure managed instance. Since the added user is external user, can,t see it in the Logins to map the user.
I have like 100 databases on which the user should have db admin right. Is there a easiest way to do that?
You can use an Azure Active Directory Login
eg
CREATE LOGIN [someuser#somecompany.onmicrosoft.com] FROM EXTERNAL PROVIDER
then create users mapped to this login in the appropriate databases, or make this login a sysadmin. Not sure if this shows up in SSMS, as it was added relatively recently. So you may have to create the users and grant them permissions in the target databases in TSQL, as per: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-aad-security-tutorial

How can I alter user roles in Azure SQL Database?

I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!

SQLServer difference between new login and new database user [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Difference between a User and a Login in SQL Server
Is it enough to create a database login with permission to desired database? Or do I need to create a database user for this login?
A login is a login account for the entire SQL Server instance - an instance can contain numerous databases.
A user is defined at the database level, and is associated with a login to provide interactive access (privileges providing)
Logins are a server side (instance level) objects. Their correct name is 'server principals' (see sys.server_principals). Server wide privileges are granted to logins, like create database or view server state permissions.
Users are a database objects, correctly referred to as 'database principals' (see sys.database_principals). They are the recipients of database permissions, like create table or select.
Ordinarily a login is mapped 1-to-1 to a user in each database, via a matching SID, but there are some exception, like all members of the sysadmin fixed server role are always mapped to dbo.
Users without login are a specific construct for Service Broker remote identities (see Remote Service Bindings) and for code signing. You should never have to create one in any other context, and if you do, you're likely doing it wrong. Users without login are never meant to be impersonated.

Locking User account created under Windows Authentication in SQL Server

As per my project requirement i need to lock a user in SQL Server(Which is created using Windows Authentication). Is there any way to do this?
For example: For a SQL login if you try to login using wrong Password more than 3 or 4 attempts, then that account gets locked out. User cannot login to SQL Server using this username. I want to check this using Users created under windows authenntication
Thanks for the help
Santhosh
You need to keep two things apart:
on a server-level, you have users that have a login - this gives them the ability to connect to that SQL Server at all. You can disable a login using:
ALTER LOGIN (name) DISABLE
Doing so prevents that user from logging into the database server alltogether - he (or she) cannot access anything on that database server anymore
on a per-database level, those logins might be granted access to the database - this is done by creating a user (based on that login) for that database, and assigning that user certain permissions. You can't really disable a user in a database - you just have to drop that user
USE (database)
DROP USER (name)
You can always re-create that user from his login in that database using
USE (database)
CREATE USER (name) WITH LOGIN = (login name)