March 26, 2010 at 11:31 am
Hi,
Is there a way to track who is creating or droping users in the DB, and changing permissions for users? -- from which machine this happened would be the best.
We have an issue on sporadic disapearing some login from different DB, and we cannot pin point how this is happening. Any idea how to track this?
Thanks.
March 26, 2010 at 11:41 am
keep in mind that if someone is restoring the database, the restore point might not have the users you are adding back constantly; that's a probable thing to look for first.
after that, if you are sure someone is actually dropping users, you'd have to use a DDL trigger;
here's one i put together after reading BOL, it is untested:
CREATE TRIGGER TR_DB_UserEvents
ON DATABASE
FOR --CREATE_USER,-- (Applies to the CREATE USER statement, sp_adduser, and sp_grantdbaccess.)
--ALTER_USER,-- (Applies to ALTER USER statement and sp_change_users_login.)
DROP_USER
AS
-- Get the EventData XML:
DECLARE @x AS XML
SELECT @x = EVENTDATA()
-- Check DB & Schema:
IF @x.value('(/EVENT_INSTANCE/DatabaseName)[1]','nvarchar(max)') = 'YourDB'
BEGIN
RAISERROR ('DB Trigger "TR_DB_UserEvents" does not allow Users to be dropped in this schema.', 16, 1)
ROLLBACK
END
END
GO
Lowell
March 26, 2010 at 8:57 pm
For an ad-hoc requirement, you could set up a Profiler trace on Security Audit -> Audit Database Principal Management Event.
Event sub-class 3 captures user drops.
You could also use an Event Notification based on the AUDIT_DATABASE_OBJECT_MANAGEMENT_EVENT trace event. Event Notifications are less intrusive than DDL Triggers, since they do not form part of the initiating transaction. You also have to be careful of session SETtings, like QUOTED_IDENTIFIER, when calling XML methods in a DDL Trigger.
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply