When I attempt to query AD for users I receive the following error:
Cannot fetch a row from OLE DB provider "ADsDSOObject" for linked server "ADSI".
I assume the issue due to the 1000 row limit (or 901 rows in SqlServer 2008). I can page the query but I am looking for workaround that would allow me to retrieve more than 1000 at a time.
In case it helps, I am using SqlServer 2008 R2.
and here is my query
SELECT samaccountname AS Account, ISNULL(givenName, '''') AS givenName, ISNULL(SN, '''') AS SN, ISNULL(DisplayName, '''') as DisplayName, ISNULL(Title, '''') AS Title
FROM OpenQuery(ADSI,
'SELECT SamAccountName, givenName, SN, DisplayName, Title
FROM ''LDAP://corpdomain.corp''
WHERE objectClass = ''User'' and (SN = ''*'' or givenName = ''*'')')
Any ideas?
EDIT -
Upon further inspection I realized I am not able to properly page this query either. Does anyone have any tips on a solution that will allow me to page the results or a workaround that will allow me to return more than 901?
I hit this problem too, and didn't like the usual solution posted of paging by the first letter of the account name. This would mean 26 separate calls to AD, and also could still potentially fail because with a large domain its very possible to have more than 901 accounts starting with the same first letter - particularly if you are looking at computer accounts, which likely follow some systematic naming convention using the same first letter...
I did some playing around and I found that if you order the openquery by uSNCreated and put a TOP 901 clause on the outer query it doesn't blow up.
So, here is my SQL which fetches ALL active directory objects (computers, domain controllers, users and contacts) into a temp table in chunks of 901 records and gives you some useful information on each object.
CREATE TABLE #ADData(
Login NVARCHAR(256)
,CommonName NVARCHAR(256)
,GivenName NVARCHAR(256)
,FamilyName NVARCHAR(256)
,DisplayName NVARCHAR(256)
,Title NVARCHAR(256)
,Department NVARCHAR(256)
,Location NVARCHAR(256)
,Info NVARCHAR(256)
,LastLogin BIGINT
,flags INT
,Email NVARCHAR(256)
,Phone NVARCHAR(256)
,Mobile NVARCHAR(256)
,Quickdial NVARCHAR(256)
, usnCreated INT
)
DECLARE #Query VARCHAR (2000)
DECLARE #Filter VARCHAR(200)
DECLARE #Rowcount INT
select #Filter =''
WHILE ISNULL(#rowcount,901) = 901 BEGIN
SELECT #Query = '
SELECT top 901
Login = SamAccountName
, CommonName = cn
, GivenName
, FamilyName = sn
, DisplayName
, Title
, Department
, Location = physicalDeliveryOfficeName
, Info
, LastLogin = CAST(LastLogon AS bigint)
, flags = CAST (UserAccountControl as int)
, Email = mail
, Phone = telephoneNumber
, Mobile = mobile
, QuickDial = Pager
, usnCreated
FROM OPENROWSET(''ADSDSOObject'', '''', ''
SELECT cn, givenName, sn, userAccountControl, lastLogon, displayName, samaccountname,
title, department, physicalDeliveryOfficeName, info, mail, telephoneNumber, mobile, pager, usncreated
FROM ''''LDAP://[ldap-query-string]''''
WHERE objectClass=''''Person''''
AND objectClass = ''''User''''
' + #filter + '
ORDER BY usnCreated'')'
INSERT INTO #ADData EXEC (#Query)
SELECT #Rowcount = ##ROWCOUNT
SELECT #Filter = 'and usnCreated > '+ LTRIM(STR((SELECT MAX(usnCreated) FROM #ADData)))
END
SELECT LOGIN
, CommonName
, GivenName
, FamilyName
, DisplayName
, Title
, Department
, Location
, Email
, Phone
, QuickDial
, Mobile
, Info
, Disabled = CASE WHEN CAST (flags AS INT) & 2 > 0 THEN 'Y' ELSE NULL END
, Locked = CASE WHEN CAST (flags AS INT) & 16 > 0 THEN 'Y' ELSE NULL END
, NoPwdExpiry = CASE WHEN CAST (flags AS INT) & 65536 > 0 THEN 'Y' ELSE NULL END
, LastLogin = CASE WHEN ISNULL(CAST (LastLogin AS BIGINT),0) = 0 THEN NULL ELSE
DATEADD(ms, (CAST (LastLogin AS BIGINT) / CAST(10000 AS BIGINT)) % 86400000,
DATEADD(day, CAST (LastLogin AS BIGINT) / CAST(864000000000 AS BIGINT) - 109207, 0)) END
, Type = CASE WHEN flags & 512 = 512 THEN 'user'
WHEN flags IS NULL THEN 'contact'
WHEN flags & 4096 = 4096 THEN 'computer'
WHEN flags & 532480 = 532480 THEN 'computer (DC)' END
FROM #ADData
ORDER BY Login
DROP TABLE #ADData
The problem
When I attempt to query AD for users I receive the following error:
Cannot fetch a row from OLE DB provider "ADsDSOObject" for linked server "ADSI".
I assume the issue due to the 1000 row limit (or 901 rows in SqlServer 2008). I can page the query >but I am looking for workaround that would allow me to retrieve more than 1000 at a time.
In case it helps, I am using SqlServer 2008 R2. and here is my query
>
SELECT samaccountname AS Account, ISNULL(givenName, '''') AS givenName, ISNULL(SN, '''') AS SN, ISNULL(DisplayName, '''') as DisplayName, ISNULL(Title, '''') AS Title
FROM OpenQuery(ADSI,
'SELECT SamAccountName, givenName, SN, DisplayName, Title
FROM ''LDAP://corpdomain.corp''
WHERE objectClass = ''User'' and (SN = ''*'' or givenName = ''*''
Any ideas?
EDIT - Upon further inspection I realized I am not able to properly page this query either. Does >anyone have any tips on a solution that will allow me to page the results or a workaround that will >allow me to return more than 901?
My workaround
I just solved the same problem faced by me, by applying paging optimally (and I am successfully able to retrieve around 50k logins from the AD and it is not missing to fetch a single login account from the AD domains):
You need to work around the ADSI query limitation by looping through the characters of the attributes. See a solution here: http://www.sqlservercentral.com/Forums/Topic231658-54-1.aspx#bm1249991
The error was resolved by writing SELECT TOP 901 ... IN PLACE OF JUST SELECT.
And yes, this problem is related to using SqlServer 2008 R2. This problem occurred to me after migration of the database from 2005 to 2008, because in SQL Server 2008, there is a limit of 901 rows which was 1000 in SQL Server 2005 (the difference is we need to write select TOP 901, which was not required in the SQL Server 2005, else the program fails with error)
From your reply to my comment it sound like an SSIS package fired by a SQL Agent job would be an ideal way to go. Here's how you can access Active Directory in SSIS:
Create a new SSIS Project
Add a Data Flow Task to the Control Flow.
Click the Data Flow tab.
Drag an ADO NET Source from the Toolbox to the Data Flow.
Double-click the ADO NET Source.
Click the New button next to OLE DB connection manager.
Click the New button in the Configure ADO.NET Connection Manager
dialog.
Click the downward pointing arrow on the Provider dropdown.
Find .Net Providers for OleDb in the list and double-click it.
Find OLE DB Provider for Microsoft Directory Services in the list
and double-click it.
Click the OK button.
In Server or file name put ActiveDirectory.
Highlight ActiveDirectory in the Data connections.
Click the OK button.
Change the Data access mode to SQL command.
In the SQL command text box enter
<LDAP://DC=domain,DC=tld>;(&(objectClass=User)(objectCategory=Person));distinguishedName,displayName,sn,givenName,middleName,mail,telephoneNumber;subtree.
Change domain and tld to the appropriate identifiers for your
domain and add any other appropriate LDAP path elements.
Add any other appropriate ActiveDirectory attributes to the query.
Click the OK button.
You will see error messages indicating that the data type
"System.Object" is not supported. These can be ignored.
Click the OK button on the warning dialog.
Right-click on the ADO NET Source.
Click Properties.
Change ValidateExternalMetadata to False.
You may also want to do the steps below, but be aware that if you do this and have an Active Directory attribute longer than 4000 characters, it will be truncated in the data flow.
Right-click on the ADO NET Source.
Click Show Advanced Editor.
Go to the Input and Output Properties tab.
Expand ADO NET Source Output.
Expand Output Columns.
For each column, change the DataType to Unicode string [DT_WSTR] and
set the Length to 4000.
Click the OK button.
Double-click the ADO NET Source go to Error Output.
Select all the values for the rows under Trunctation.
List item
Under Set this value to selected cells choose Ignore failure.
Click the Apply button.
Click the OK button.
Note that this query format is also supported:
SELECT distinguishedName, displayName, sn, givenName, middleName, mail, telephoneNumber
FROM 'LDAP://DC=domain,DC=tld'
WHERE objectClass = 'User' AND objectCategory = 'Person'
See the MSDN article Microsoft OLE DB Provider for Microsoft Active Directory Service for more information on the query formats supported by the provider.
This exact same Cannot fetch a row from OLE DB provider "ADSDSOObject" error message can also occur when you have less than 1000 rows in the resultset, but something else prevents SQL from fetching the records. We recently had a situation where the SQL Service account password was out of date, and this seems to have caused this error. Updating the password in the Log on details of the service and restarting SQL Server fixed it.
Just thought I would tack this answer on here so if someone googles this error message in future this might also help!
I solved it using another post by Magnus Reuter -just thought I gave y'all a link because it is simple ans ingenious!
He did 2 queries, joining them by using UNION, but for the first one he selected all sAMAccountname m. Of course if you find that your middle is not the letter "m" you can adjust that accordingly, but generally if you have around 1000-2000 records it will be "m".
Retrieve >901 rows from SQL Server 2008 linked server to Active Directory
There is an additional reason why you might get this error. If you are using multiple domains you may need to change the Active Directory properties for this SQL Server. Selecting "Trust this computer for delegation to any service (Kerberos only)" should correct the problem if the cause is from "double hop" in a multi-domain setup.
Related
My work company has a MSSQL server 2005. I have two questions about finding out current log user and any way to send out a warning message:
First question is if there is any T-SQL or SP available to find out current login user name and machine name. If the user is using SQL server sa name to remotely access to SQL server, is there any way to find out that user's windows name (the name to log to the windows)?
My next question is that if I can get the user name or id, is there any way to send out a warning message such as "currently SQL server is clean up or backup, please do not log in at this time". I guess it may be difficult. I may have to send an email out to the user.
The SQL server is only accessible in the company. The SQL server has a list of users as login users: windows users, SQL users and sa.
SELECT SUSER_SNAME(), HOST_NAME()
If the connection is "sa" (or any other SQL login) then you can't find the domain/windows user name. SQL Server only knows it's "sa" or that SQL login.
HOST_NAME may not be reliable either, it can be set in the connection string ("Application Name"). Or it could be vague eg "Microsoft Office" for by default for Access, Excel etc
You could backtrack via client_net_address in sys.dm_exec_connections and match MAC address to IP and find out who is logged on...
An easy way to find out both host and user is
EXEC sp_who2;
where you get some other information that can be good to know, as if the user is active and so on...
It does not resolve the issues that gbn announced.
Thanks for all your suggestions first. I tried all the methods and I think Joakim Backman's method meet my need. Here is summary of what I find out.
Query of sys.syslogins only list login information. The accdate does not give the current login user timestamp. I tried to login from another application to my SQL and this query does not list the login.
SELECT SUSER_SNAME(), HOST_NAME() only list one user on SQL server. For example, I log in in as my name to SQL server. The result of this query only lists my name and machine name. This query does not list current users on the SQL server.
exec sp_who2 lists information I need. It lists current user name machine name, active status, db name user's access, and command used.
In order to get the information I use in SP, I have to filter and join the information with other tables, such as emails. Here is the codes I use:
DECLARE #retTable TABLE (
SPID int not null
, Status varchar (255) not null
, Login varchar (255) not null
, HostName varchar (255) not null
, BlkBy varchar(10) not null
, DBName varchar (255) null
, Command varchar (255) not null
, CPUTime int not null
, DiskIO int not null
, LastBatch varchar (255) not null
, ProgramName varchar (255) null
, SPID2 int not null
, REQUESTID INT
)
INSERT INTO #retTable EXEC sp_who2
SELECT Status, Login, HostName, DBName, Command, CPUTime, ProgramName -- *
FROM #retTable
--WHERE Login not like 'sa%' -- if not interested in sa
ORDER BY Login, HostName
NCSC has published a list of the 100.000 most used passwords, see 100K passwords
I wondered if any of my users had used one of these passwords, so I wrote a check, inspired by an idea from bp_check.
Am I doing it the correct way?
I had problems with UniCode, but that should have been solved by now.
Here is my code to run such a password check:
-- script to check if any of the passwords on your SQL Server is amongst the 100.000 most used passwords that Troy Hunt and NCSC released
-- see https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
--drop table dbo.PwnedPasswordTop100k
create table dbo.PwnedPasswordTop100k ( pw nvarchar(500) collate Latin1_General_CS_AS not null)
go
bulk insert dbo.PwnedPasswordTop100k
FROM 'c:\temp\PwnedPasswordTop100k.txt'
WITH
(
FIELDTERMINATOR = ',',
ROWTERMINATOR = '\n'
, codepage=65001
)
go
SELECT sl.name , ppt.pw
from sys.sql_logins sl
cross join dbo.PwnedPasswordTop100k ppt
where PWDCOMPARE(ppt.pw, sl.password_hash) = 1
union all
SELECT s.name, 'password is NULL' FROM sys.sql_logins s -- password is null (from idea from BP_Check http://aka.ms/BPCheck;)
where password_hash is null
AND exists(SELECT * FROM fn_my_permissions(NULL, 'SERVER') where permission_name='CONTROL SERVER')
and name NOT IN ('MSCRMSqlClrLogin','##MS_SmoExtendedSigningCertificate##','##MS_PolicySigningCertificate##','##MS_SQLResourceSigningCertificate##','##MS_SQLReplicationSigningCertificate##','##MS_SQLAuthenticatorCertificate##','##MS_AgentSigningCertificate##','##MS_SQLEnableSystemAssemblyLoadingUser##')
union all
SELECT s.name, s.Name FROM sys.sql_logins s -- password the same as login (from idea from BP_Check http://aka.ms/BPCheck;)
where PWDCOMPARE(s.name, s.name) = 1
union all
select 'not SYSADM', 'You do not have CONTROL SERVER permissions, and cannot see any password_hashes'
where not exists(SELECT * FROM fn_my_permissions(NULL, 'SERVER') where permission_name='CONTROL SERVER')
--select top (10000) * from dbo.PwnedPasswordTop100k where pw like N'пїЅпїЅпїЅпїЅ'
begin try
drop table dbo.PwnedPasswordTop100k
end try
begin catch
end catch
The PwnedPasswordTop100k.txt file must be copied to c:\temp on the SQL Server, and the account that runs SQL Server, must have access to the file. Alternatively, change the path to a place which the SQL Server can see.
Not everyone has access to a share that SQL Server can see. So I've also written a script with all the passwords:
Script with 100.000 passwords
It is a SELECT Statement that is 1500 kB. Quite big, but you can run it in SQL Server Management Studio.
My SQL Server can check about 6 users per minute, so the script is not very fast.
I'm back here with a SQL User/Login problem.
First off all i'm working on SQL server 2008 and i'm not the master on that server.
On that SQL server i have different Login and these Login are mapped to a USER to my database 'DB_MyDataBase'.
Indeed, i have 10 different Login mapped to 10 different User on my database 'DB_MyDataBase'.
For i.e., when i'm connecting to the SQL server with a Login 'Laurent', That SQL Login 'Laurent' is the USER 'Laurel' on my database 'DB_MyDataBase'. For the moment, no problem.
But now for that 10 different Login and want to know their respective USER for my database 'DB_MyDataBase'.
After some research i've found a request that can do "the job"
sp_msloginmappings 'Laurent', 1
Normally, that show mapping user account info in current databases context for login account 'Laurent'
But when i tried it, i had a error message.
Nom d'objet 'dbo.syslogins' non valide.
Error message is : Object name 'dbo.syslogins' is not valid for non French users.
I've found another request which is working "a bit".
SET NOCOUNT ON
CREATE TABLE #temp
(
SERVER_name SYSNAME NULL ,
Database_name SYSNAME NULL ,
UserName SYSNAME ,
GroupName SYSNAME ,
LoginName SYSNAME NULL ,
DefDBName SYSNAME NULL ,
DefSchemaName SYSNAME NULL ,
UserID INT ,
[SID] VARBINARY(85)
)
DECLARE #command VARCHAR(MAX)
--this will contain all the databases (and their sizes!)
--on a server
DECLARE #databases TABLE
(
Database_name VARCHAR(128) ,
Database_size INT ,
remarks VARCHAR(255)
)
INSERT INTO #databases--stock the table with the list of databases
EXEC sp_databases
SELECT #command = COALESCE(#command, '') + '
USE ' + database_name + '
insert into #temp (UserName,GroupName, LoginName,
DefDBName, DefSchemaName,UserID,[SID])
Execute sp_helpuser
UPDATE #TEMP SET database_name=DB_NAME(),
server_name=##ServerName
where database_name is null
'
FROM #databases
EXECUTE ( #command )
SELECT loginname ,
UserName ,
Database_name
FROM #temp
WHERE LoginName = 'Laurent'
So that one is working it's listing all User mapped to that Login on every database BUT (there is always a "but"...) it's only working with the Login i use to connect.
For i.e. When i connect to the SQL server with Login 'Laurent' the previous request is working because i request for the same Login that i used to connect to the SQL server but when i connect with Login 'Laurent' and do the previous request with a different Login (so not 'Laurent' but another one which have a user mapped to my database 'DB_MyDataBase'.) I don't see anything, it returns me blank column....
Maybe it's because i'm not master on that SQL server.
So how i can list User mapped to a Login different from the one i'm connected?
I hope my question is clear enough (sorry for long text) and thanks for your future answer. Don't hesitate to ask me if you need further info to answer me.
What you can see will depend on the permissions of the user you are logged in as. This query against two of the security catalog views should give you what you want provided you have the necessary permission.
select
dp.name as UserName,
sp.name as LoginName
from
sys.database_principals dp
left join sys.server_principals sp on sp.sid = dp.sid
where
dp.type in ('S', 'U')
I am currently updating a MS SQL 2000 server to SQL 2008. One of the issues highlighted by the Upgrade advisor is that the undocumented table sysxlogins has been removed.
I currently have a procedure that is run by a user 'foo' to determine if the user 'bar' exists in the database blah. If the user exists the user's password is compared to the password that was passed in to the procedure in order to determine if bar is allowed to log in to an application, it looks like this:
#UserName Varchar(50),
#Password Varchar(50)
As
Set NoCount On
------------------------------------------------------------------------------------
-- Check username
------------------------------------------------------------------------------------
If Exists
(
select top 1 name
from blah.dbo.sysusers With (NoLock)
where name = #UserName
)
Begin
------------------------------------------------------------------------------------
-- Check Password
------------------------------------------------------------------------------------
If Not Exists
(
Select *
From master.dbo.sysxlogins With (NoLock)
Where srvid IS NULL
And name = #Username
And ( ((#Password is null) or (#Password = '') and password is null)
Or (pwdcompare(#Password, password, (CASE WHEN xstatus&2048 = 2048 THEN 1 ELSE 0 END)) = 1))
)
Begin
Return 2
End
Else
Begin
------------------------------------------------------------------------------------
-- Check Role
------------------------------------------------------------------------------------
Select usg.name
From blah.dbo.sysusers usu
left outer join (blah.dbo.sysmembers mem inner join blah.dbo.sysusers usg on mem.groupuid = usg.uid) on usu.uid = mem.memberuid
left outer join syslogins lo on usu.sid = lo.sid
where usu.name = #Username
and usg.name not like 'db_%'
Return 0 -- Username and password correct
End
End
Else
Begin
Return 1 -- Username incorrect
End
This all works fine under SQL 2000, yet I must now pay the price of using undocumented system tables and make it work under 2008.
There are two problems with this, the first problem is that foo can no longer see all of the database users when executing:
select * from blah.dbo.sysusers
or Microsoft's recommended alternative:
select * from blah.sys.database_principals
I understand that this is due to the fact that members of the public role no longer have access to object meta data unless they are a member of sysadmin or have the View Definition permission on the object.
It is not possible for foo to be a member of sysadmin, so as far as I understand I need to grant foo the View Definition permission, but on which object? I don't think I do it on the system view, so do I do it on every single user?
Secondly, and similarly, I need to change my reference to sysxlogins to sys.sql_logins. Again foo can only see itself and sa when executing
select * from sys.sql_logins
How can I get foo to see all of the server logins in this list?
There will no doubt be similar problems when accessing sysmembers and syslogins later on in the code but hopefully an understanding of the two examples above will help me to sort the rest out.
Thanks in advance,
You can grant the SELECT right directly on sys.database_principals, as long as the login has a user in the master database. For example:
use master
create user MyUser for login MyUser
grant select on sys.database_principals to MyUser
Then, in SQL Server 2008, passwords are encrypted, even for the administrator. You can, however, verify a password by trying to change it. The change procedure will give an error if the old password is incorrect.
declare #rc int
begin try
exec #rc = sp_password 'welcome', 'welcome', 'MyUser'
end try
begin catch
set #rc = ERROR_NUMBER()
end catch
-- Should be 0 on success
select #rc
For this to work, you have to disable Enforce password policy in the Login Properties dialog. Otherwise, the policy would prevent you from changing your password too often.
I think GRANT SELECT ON... is more troublesome as one have to add the user to the master database. The below was the solution for me:
USE master
GRANT VIEW ANY DEFINITION TO foo
If you have an app that works on various versions of SQL you need to check if the server version is higher then 8 (GRANT VIEW ANY DEFINITION works from SQL 2005 though it seemes not be needed there).
My work company has a MSSQL server 2005. I have two questions about finding out current log user and any way to send out a warning message:
First question is if there is any T-SQL or SP available to find out current login user name and machine name. If the user is using SQL server sa name to remotely access to SQL server, is there any way to find out that user's windows name (the name to log to the windows)?
My next question is that if I can get the user name or id, is there any way to send out a warning message such as "currently SQL server is clean up or backup, please do not log in at this time". I guess it may be difficult. I may have to send an email out to the user.
The SQL server is only accessible in the company. The SQL server has a list of users as login users: windows users, SQL users and sa.
SELECT SUSER_SNAME(), HOST_NAME()
If the connection is "sa" (or any other SQL login) then you can't find the domain/windows user name. SQL Server only knows it's "sa" or that SQL login.
HOST_NAME may not be reliable either, it can be set in the connection string ("Application Name"). Or it could be vague eg "Microsoft Office" for by default for Access, Excel etc
You could backtrack via client_net_address in sys.dm_exec_connections and match MAC address to IP and find out who is logged on...
An easy way to find out both host and user is
EXEC sp_who2;
where you get some other information that can be good to know, as if the user is active and so on...
It does not resolve the issues that gbn announced.
Thanks for all your suggestions first. I tried all the methods and I think Joakim Backman's method meet my need. Here is summary of what I find out.
Query of sys.syslogins only list login information. The accdate does not give the current login user timestamp. I tried to login from another application to my SQL and this query does not list the login.
SELECT SUSER_SNAME(), HOST_NAME() only list one user on SQL server. For example, I log in in as my name to SQL server. The result of this query only lists my name and machine name. This query does not list current users on the SQL server.
exec sp_who2 lists information I need. It lists current user name machine name, active status, db name user's access, and command used.
In order to get the information I use in SP, I have to filter and join the information with other tables, such as emails. Here is the codes I use:
DECLARE #retTable TABLE (
SPID int not null
, Status varchar (255) not null
, Login varchar (255) not null
, HostName varchar (255) not null
, BlkBy varchar(10) not null
, DBName varchar (255) null
, Command varchar (255) not null
, CPUTime int not null
, DiskIO int not null
, LastBatch varchar (255) not null
, ProgramName varchar (255) null
, SPID2 int not null
, REQUESTID INT
)
INSERT INTO #retTable EXEC sp_who2
SELECT Status, Login, HostName, DBName, Command, CPUTime, ProgramName -- *
FROM #retTable
--WHERE Login not like 'sa%' -- if not interested in sa
ORDER BY Login, HostName