This code is created as a stored procedure, which is saved in a DBA maintenance database. Create a SQL Agent job that executes this proc daily, weekly, or monthly (DBA's choice) for automatic notifications. When the report is received, review the report for any database roles that can be removed from the server\instance.
The intention of this script is to assist with security maintenance and server cleanup. Deprecated database roles never need clog up the instance again.
CREATE PROCEDURE [dbo].[spDQ_UnusedDatabaseRoles]
@emails VARCHAR(255) = NULL
AS
/*-------------------------------------------------------------------------------------------------------
DESCRIPTION: This is a Data Quality proc created to list all user-created database roles that do not
currently have a login mapped to them.
-------------------------------------------------------------------------------------------------------*/
SET NOCOUNT ON;
--check if temp table exists and drop
IF (SELECT Object_ID('tempdb..#Databases') ) IS NOT NULL
DROP TABLE #Databases;
-- create table and load db names
IF (SELECT Object_ID('tempdb..##UnusedDatabaseRoles') ) IS NOT NULL
DROP TABLE ##UnusedDatabaseRoles;
CREATE TABLE #Databases (DatabaseID INT IDENTITY(1,1) PRIMARY KEY NONCLUSTERED, DBName VARCHAR(50));
INSERT INTO #Databases (DBname)
SELECT [Name] AS DBname
FROM MASTER.sys.databases
WHERE [Name] NOT IN ('model', 'tempdb')
AND source_Database_ID IS NULL;
--Do not check Model or TempDB databases, and ignore all snapshots
CREATE TABLE ##UnusedDatabaseRoles (DBName VARCHAR(50), RoleName VARCHAR(50));
-- declare/init vars
DECLARE @LoopCounter int, @DBName varCHAR(100), @sqlstmt varCHAR(5000);
SET @LoopCounter = 1;
WHILE @LoopCounter <= (SELECT COUNT(DBname) FROM #Databases)
BEGIN
-- change to new db
SELECT @DBName = DBname FROM #Databases
WHERE DatabaseID = @LoopCounter;
SET @sqlstmt = 'USE ['+@DBName+'];' + CHAR(10);
--db role menbership
SET @sqlstmt = @sqlstmt + CHAR(10)
+ 'INSERT INTO ##UnusedDatabaseRoles (DBName, RoleName)
SELECT DISTINCT ''' + @DBName + ''', RP.Name
FROM sys.database_principals RP
LEFT OUTER JOIN sys.database_role_members R
ON RP.principal_id = R.role_principal_id
WHERE RP.Type_Desc = ''DATABASE_ROLE'' AND R.role_principal_id IS NULL
AND RP.is_fixed_role = 0 AND RP.principal_id > 0
AND RP.Name NOT IN (''db_dtsadmin'',''db_dtsltduser'',''db_dtsoperator'')';
--This last line allows the DBA to skip any system database level roles that will never have users mapped to them
--PRINT @sqlstmt; --debug syntax
EXECUTE (@sqlstmt);
SET @LoopCounter = @LoopCounter + 1;
END;
DECLARE @profile VARCHAR(50), @dsql VARCHAR(2000), @filename VARCHAR(50), @rwcnt INT = 0;
IF (@emails IS NULL)
BEGIN
SET @emails='DBAeMail@myCompany.com';
END;
SELECT @profile = CASE @@SERVERNAME WHEN 'Dev' THEN 'MyCompany_Dev@MyCompany.com'
WHEN 'Test' THEN 'MyCompany_Test@MyCompany.com'
WHEN 'QC' THEN 'MyCompany_QC@MyCompany.com'
WHEN 'Prod' THEN 'MyCompany@MyCompany.com' END;
--Sets the DB Mail profile for a multiple Instance environment.
--The CASE statement is not needed for Single Server / Environment setups or single (default) profile setups
SET @filename = 'UnusedDatabaseRoles_' + LEFT(CONVERT(VARCHAR(20),GETDATE(),112),8) + '.txt';
SELECT @rwcnt = COUNT(RoleName)
FROM ##UnusedDatabaseRoles;
IF (@rwcnt>0)
BEGIN
SET @dSQL='SET NOCOUNT ON;
SELECT DBName, RoleName
FROM ##UnusedDatabaseRoles;
SET NOCOUNT OFF;';
EXEC msdb.dbo.sp_send_dbmail
@profile_name = @profile,
@recipients = @emails,
@query = @dsql,
@subject = 'Weekly DQ Report of Unused Database Roles',
@body = 'The Database Roles in the below file are not being used by any login. Please that these roles are still required. This is an automated email. Do NOT directly respond or reply.
If you have any questions, please contact the DBA team at DBAeMail@MyCompany.com.',
@attach_query_result_as_file = 1,
@query_attachment_filename =@filename;
END; 
We ran into a case recently where we had the logins and users scripted out on my SQL Server instances, but we didn't have the fixed database roles for a critical database. As a result, our recovery efforts were only partially successful. We ended up trying to figure out what the database role memberships were for that database we recovered but we'd like not to be in that situation again. Is there an easy way to do this?
2011-02-23
3,104 reads
In a previous tip on creating a Function to Return Default SQL Server Backup Folder , you've seen how you can create a T-SQL function to query the registry and retrieve the default SQL Server Backup folder. Is there an easier way to do it in Windows PowerShell?
2010-04-23
2,763 reads
Lists details for all indexes on one or more tables / schemas, including row count and size. This version outputs the member seek + include columns as two comma separated output columns.
2009-01-19 (first published: 2008-08-01)
2,472 reads
Searches for actual and potential foreign key columns for a given primary key reference.
2009-10-12 (first published: 2008-06-20)
2,498 reads
Searches precompiled procedures for the provided search string, optionally limiting to names matching a 2nd search string.
2009-10-08 (first published: 2008-06-20)
1,890 reads