Using SQL server 2008r2 or 2012.
I've been searching but haven't found an answer, apparently my google-foo is weak.
I need to find out which users in an AD Group having been logging into my SQL servers. We are trying to audit user logins to see both how long user accounts have been inactive and to see how many licenses we will need coming up. I can get all the other information, the only thing I can't find is what users in each group have been logging in.
Any help locating where I can find this would be appreciated.
AD Group contains many logins included and many people may use same login to log into SQLServer..
So you can't distinctly find which users in an AD Group having been logging into SQL servers
One more approach would be to use
select client_net_address from sys.dm_exec_connections
each user would have a disinct ip when logged from distinct machine.Gather this data over a period and try to get unique count of user logins
Related
I want to create two users
App_dbo which is used to deploy scripts
App_batch which is used to run jobs
I googled it and found SQL Script
I did not understand why I need to create a LOGIN.
What is the process to create a user ?
Let me try to explain how the login and users work on a little example.
Imagine you are going to stay in a hotel, you've booked a room. At the reception they check your id and give you the key for your room. The id is your login, it is only checked once at the reception and you get access to whatever you are eligible for. If you paid for more rooms, you will get multiple keys.
In the SQL server, the rooms are the databases and the keys are your users. You can map multiple users to the login as long as the users are in a different databases - you get keys for all rooms you've paid for using just one id.
There is also a case where login doesn't have any users mapped. It can have permissions to create new databases or update infrastructure, but will not have access to the existing databases. This can be a case of a server admin. In the hotel example it is the technical maintenance employee who fixes pipes or electric wires. He has access to the hotel, but doesn't have keys for any rooms.
Therefore, login gives access to the sql server (hotel common areas), however, it doesn't give you access to any database. You need user(s) mapped to your login to get a database(s) access(es).
Afaik, you can't map two users from the same db to one login (you only get one key for each room you've access too).
There are also other cases, like the AD one mentioned in the discussion below the question, where you can map multiple (external) identities to a single login etc, you can have users without login etc. I recommend to study documentation or get some good book explaining all possibilities. Good start might be here.
Hope this helps to understand how it works to a human being, there are plenty of answers how to set it up technically, for example the one you've referenced.
I have been trying to get a solution for this topic.actually I already posted this several times but still I didn't receive any solution.
What I am looking .In our Database environment there more than 1000 users , these users are Windows users and these users are added as members in several Windows AD Groups based on the DB access requirements.
There are few AD groups which are having Sysadmin server role.
Now the requirements is we need to configure DATABASE AUDIT for those AD groups which are having 'SysAdmin' Server Role.We need to audit for DML operation (Insert, Update,Delete) for all those AD groups which are having 'SysAdmin' Server Role. Please let me know what should be the Database configuration details.I have already tested in different way but I am getting any correct result.
We have an employee that recently left the company, and I have a bunch of SSRS reports that she has access to. Is there a way to remove her from all of the reports at once, or do I have to go one by one?
You can delete the user from the reportserver database.
Then, the user can no longer be verified, and a login becomes impossible.
PS: Backup the ReportServer database first, just in case...
DELETE FROM [ReportServer].[dbo].[PolicyUserRole]
WHERE UserID IN
(
SELECT UserID FROM Users WHERE UserName ='blabla'
)
DELETE FROM Users WHERE UserName ='blabla'
Presumably the reports security are based on Active Directory?
If she no longer has access to your network then she would not be able to access the reports.
If you have granted AD groups access rather than individual AD logins you could request that she is removed from each AD Group she is within, otherwise you will have to remove her individually from each report.
On a side note, if her AD account has been deleted then she will not be able to access the reports anyway, even if she could access the network?
I have a group in AD that logins to windows and what I want to do is to grant the same AD group access to SQL Server using the AD credentials.
My SQL Server is setup to use mixed mode (windows and SQL Server logins).
So lets say my AD group name is : MyCompanyGroup
I want to grant access to that group to be able to connect to SQL Server.
Can anybody guide me how to do this?
Thanks.
If you have 100+ SQL Server instances, you have to run this script 100+ times.
Also: you will need to create specific users for that login in those databases that the login should have access to.
Basically use something like:
USE (database name)
CREATE USER (username) FOR LOGIN (loginname)
See the MSDN How-To: Create a Database User for detailed info.
But everything can be scripted. And with a decent tool like Red-Gate SQL MultiScript, you can even have it executed on all your 100+ instances automagically.
I have recently been running into many different areas of SQL Server that I normally don't mess with. One of them that has me confused is the area of Logins and Users. Seems like it should be a pretty simple topic...
It appears that each login can only have 1 user and each user can only have 1 login.
A login can be associated to multiple tables thus associating that user to many tables.
So my question is why even have a login and a user? they seem to be pretty much one in the same. What are the differences, or what is it that I seem to be missing?
A "Login" grants the principal entry into the SERVER.
A "User" grants a login entry into a single DATABASE.
One "Login" can be associated with many users (one per database).
Each of the above objects can have permissions granted to it at its own level. See the following articles for an explanation of each
Principals
Database Users
One reason to have both is so that authentication can be done by the database server, but authorization can be scoped to the database. That way, if you move your database to another server, you can always remap the user-login relationship on the database server, but your database doesn't have to change.
I think there is a really good MSDN blog post about this topic by Laurentiu Cristofor:
The first important thing that needs to be understood about SQL Server
security is that there are two security realms involved - the server
and the database. The server realm encompasses multiple database
realms. All work is done in the context of some database, but to get
to do the work, one needs to first have access to the server and then
to have access to the database.
Access to the server is granted via logins. There are two main
categories of logins: SQL Server authenticated logins and Windows
authenticated logins. I will usually refer to these using the shorter
names of SQL logins and Windows logins. Windows authenticated logins
can either be logins mapped to Windows users or logins mapped to
Windows groups. So, to be able to connect to the server, one must have
access via one of these types or logins - logins provide access to the
server realm.
But logins are not enough, because work is usually done in a database
and databases are separate realms. Access to databases is granted via
users.
Users are mapped to logins and the mapping is expressed by the SID
property of logins and users. A login maps to a user in a database if
their SID values are identical. Depending on the type of login, we can
therefore have a categorization of users that mimics the above
categorization for logins; so, we have SQL users and Windows users and
the latter category consists of users mapped to Windows user logins
and of users mapped to Windows group logins.
Let's take a step back for a quick overview: a login provides access
to the server and to further get access to a database, a user mapped
to the login must exist in the database.
that's the link to the full post.
In Short,
Logins will have the access of the server.
and
Users will have the access of the database.
I think this is a very useful question with good answer. Just to add my two cents from the MSDN Create a Login page:
A login is a security principal, or an entity that can be authenticated by a secure system. Users need a login to connect to SQL Server. You can create a login based on a Windows principal (such as a domain user or a Windows domain group) or you can create a login that is not based on a Windows principal (such as an SQL Server login).
Note:
To use SQL Server Authentication, the Database Engine must use mixed mode authentication. For more information, see Choose an Authentication Mode.
As a security principal, permissions can be granted to logins. The scope of a login is the whole Database Engine. To connect to a specific database on the instance of SQL Server, a login must be mapped to a database user. Permissions inside the database are granted and denied to the database user, not the login. Permissions that have the scope of the whole instance of SQL Server (for example, the CREATE ENDPOINT permission) can be granted to a login.
Graph on logins / users from MS sql-docs