fix orphan users

  • Hi,

    Small security problem.

    I have done the restore from server1 to server2.

    and ran the sp_change_users_login 'report' to check for orphan users.

    I expected some username(s) to be displayed in the output but don't know why no users

    are listed out in the output. Expect the user "dbo". Why is it so?

    This is what i have done.

    I am migrating the datbases from SQL server 2000 with Service Pack 4 to

    SQL 2008 Standard Edition with SP1. I have taken the backups from 2000 sql server and

    restored in SQL 2008. Once restores are done. I have executed the below script to generate the logins

    USE master

    GO

    IF OBJECT_ID ('sp_hexadecimal') IS NOT NULL

    DROP PROCEDURE sp_hexadecimal

    GO

    CREATE PROCEDURE sp_hexadecimal

    @binvalue varbinary(256),

    @hexvalue varchar(256) OUTPUT

    AS

    DECLARE @charvalue varchar(256)

    DECLARE @i int

    DECLARE @length int

    DECLARE @hexstring char(16)

    SELECT @charvalue = '0x'

    SELECT @i = 1

    SELECT @length = DATALENGTH (@binvalue)

    SELECT @hexstring = '0123456789ABCDEF'

    WHILE (@i <= @length)

    BEGIN

    DECLARE @tempint int

    DECLARE @firstint int

    DECLARE @secondint int

    SELECT @tempint = CONVERT(int, SUBSTRING(@binvalue,@i,1))

    SELECT @firstint = FLOOR(@tempint/16)

    SELECT @secondint = @tempint - (@firstint*16)

    SELECT @charvalue = @charvalue +

    SUBSTRING(@hexstring, @firstint+1, 1) +

    SUBSTRING(@hexstring, @secondint+1, 1)

    SELECT @i = @i + 1

    END

    SELECT @hexvalue = @charvalue

    GO

    IF OBJECT_ID ('sp_help_revlogin_2000_to_2005') IS NOT NULL

    DROP PROCEDURE sp_help_revlogin_2000_to_2005

    GO

    CREATE PROCEDURE sp_help_revlogin_2000_to_2005

    @login_name sysname = NULL,

    @include_db bit = 0,

    @include_role bit = 0

    AS

    DECLARE @name sysname

    DECLARE @xstatus int

    DECLARE @binpwd varbinary (256)

    DECLARE @dfltdb varchar (256)

    DECLARE @txtpwd sysname

    DECLARE @tmpstr varchar (256)

    DECLARE @SID_varbinary varbinary(85)

    DECLARE @SID_string varchar(256)

    IF (@login_name IS NULL)

    DECLARE login_curs CURSOR STATIC FOR

    SELECT sid, [name], xstatus, password, isnull(db_name(dbid), 'master')

    FROM master.dbo.sysxlogins

    WHERE srvid IS NULL AND

    [name] <> 'sa'

    ELSE

    DECLARE login_curs CURSOR FOR

    SELECT sid, [name], xstatus, password, isnull(db_name(dbid), 'master')

    FROM master.dbo.sysxlogins

    WHERE srvid IS NULL AND

    [name] = @login_name

    OPEN login_curs

    FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    IF (@@fetch_status = -1)

    BEGIN

    PRINT 'No login(s) found.'

    CLOSE login_curs

    DEALLOCATE login_curs

    RETURN -1

    END

    SET @tmpstr = '/* sp_help_revlogin script '

    PRINT @tmpstr

    SET @tmpstr = '** Generated '

    + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'

    PRINT @tmpstr

    PRINT ''

    PRINT ''

    PRINT ''

    PRINT '/***** CREATE LOGINS *****/'

    WHILE @@fetch_status = 0

    BEGIN

    PRINT ''

    SET @tmpstr = '-- Login: ' + @name

    PRINT @tmpstr

    IF (@xstatus & 4) = 4

    BEGIN -- NT authenticated account/group

    IF (@xstatus & 1) = 1

    BEGIN -- NT login is denied access

    SET @tmpstr = '' --'EXEC master..sp_denylogin ''' + @name + ''''

    PRINT @tmpstr

    END

    ELSE

    BEGIN -- NT login has access

    SET @tmpstr = 'IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE [name] = ''' + @name + ''')'

    PRINT @tmpstr

    SET @tmpstr = CHAR(9) + 'CREATE LOGIN [' + @name + '] FROM WINDOWS'

    PRINT @tmpstr

    END

    END

    ELSE

    BEGIN -- SQL Server authentication

    EXEC sp_hexadecimal @SID_varbinary, @SID_string OUT

    IF (@binpwd IS NOT NULL)

    BEGIN -- Non-null password

    EXEC sp_hexadecimal @binpwd, @txtpwd OUT

    SET @tmpstr = 'CREATE LOGIN [' + @name + '] WITH PASSWORD=' + @txtpwd + ' HASHED'

    END

    ELSE

    BEGIN -- Null password

    SET @tmpstr = 'CREATE LOGIN [' + @name + '] WITH PASSWORD='''''

    END

    SET @tmpstr = @tmpstr + ', CHECK_POLICY=OFF, SID=' + @SID_string

    PRINT @tmpstr

    END

    FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    END

    IF @include_db = 1

    BEGIN

    PRINT ''

    PRINT ''

    PRINT ''

    PRINT '/***** SET DEFAULT DATABASES *****/'

    FETCH FIRST FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    WHILE @@fetch_status = 0

    BEGIN

    PRINT ''

    SET @tmpstr = '-- Login: ' + @name

    PRINT @tmpstr

    SET @tmpstr = 'ALTER LOGIN [' + @name + '] WITH DEFAULT_DATABASE=[' + @dfltdb + ']'

    PRINT @tmpstr

    FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    END

    END

    IF @include_role = 1

    BEGIN

    PRINT ''

    PRINT ''

    PRINT ''

    PRINT '/***** SET SERVER ROLES *****/'

    FETCH FIRST FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    WHILE @@fetch_status = 0

    BEGIN

    PRINT ''

    SET @tmpstr = '-- Login: ' + @name

    PRINT @tmpstr

    IF @xstatus &16 = 16 -- sysadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''sysadmin'''

    PRINT @tmpstr

    END

    IF @xstatus &32 = 32 -- securityadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''securityadmin'''

    PRINT @tmpstr

    END

    IF @xstatus &64 = 64 -- serveradmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''serveradmin'''

    PRINT @tmpstr

    END

    IF @xstatus &128 = 128 -- setupadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''setupadmin'''

    PRINT @tmpstr

    END

    IF @xstatus &256 = 256 --processadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''processadmin'''

    PRINT @tmpstr

    END

    IF @xstatus &512 = 512 -- diskadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''diskadmin'''

    PRINT @tmpstr

    END

    IF @xstatus &1024 = 1024 -- dbcreator

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''dbcreator'''

    PRINT @tmpstr

    END

    IF @xstatus &4096 = 4096 -- bulkadmin

    BEGIN

    SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''bulkadmin'''

    PRINT @tmpstr

    END

    FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb

    END

    END

    CLOSE login_curs

    DEALLOCATE login_curs

    RETURN 0

    GO

    exec sp_help_revlogin_2000_to_2005 @login_name=NULL, @include_db=1, @include_role=1

    GO

    Reference Link : http://support.microsoft.com/kb/246133/

    Method 2

    Question(s)

    1. How the logins got automatically mapped? How sid(s) got Mapped? Normally, we use auto_fix/update_one as parameters to sp_change_users_login.

    2. Does we get any problems while mapping the logins if SQL 2000 and SQL 2008 are in different domains. If so, what kind of errors we can expect and how can we resolve them.

    3. Why "dbo" user is being dispalyed as orphan users? Because we cannot create a login saying "dbo". right? Then why it is showing "dbo".

    Correct me if am wrong?

    4. I have restored 10 databases, out of 10 , for 4 databases am getting "dbo" as orphan user. How to fix this?

    Thanks in Advance!

  • Changing the database owner to sa solved the "dbo" user problem

    USE database

    EXEC sp_changedbowner 'sa'

    GO

  • mahesh.vsp (1/12/2010)


    Changing the database owner to sa solved the "dbo" user problem

    USE database

    EXEC sp_changedbowner 'sa'

    GO

    Do you still need answers to your questions from the original post, or did you resolve those as well?

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Hi Jason,

    Am looking for answer for below two questions

    1. How the logins got automatically mapped? How sid(s) got Mapped? Normally, we use auto_fix/update_one as parameters to sp_change_users_login.

    2. Do we get any problems while mapping the logins if SQL 2000 and SQL 2008 are in different domains. If so, what kind of errors we can expect and how can we resolve them.

    Thanks for Reminding me 🙂

  • mahesh.vsp (1/14/2010)


    Hi Jason,

    Am looking for answer for below two questions

    1. How the logins got automatically mapped? How sid(s) got Mapped? Normally, we use auto_fix/update_one as parameters to sp_change_users_login.

    2. Do we get any problems while mapping the logins if SQL 2000 and SQL 2008 are in different domains. If so, what kind of errors we can expect and how can we resolve them.

    Thanks for Reminding me 🙂

    It looks like you ran sp_help_revlogin. That proc is used to transfer logins.

    If they are in different domains without a trust relationship, then you will encounter problems. If the trust is established, and proper domain is qualified when the accounts were created in SQL, then you should have NO problems.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Thanks Jason.

  • You're welcome

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply