March 30, 2009 at 1:45 pm
As part of our SOX checks we use a non-sysadmin account to read all user accounts in the database and look to see what server roles they have and also what database roles each user has on each database.
This worked fine in MSSQL 2000 but I'm having trouble in MSSQL 2005 listing all users using an account that doesn't have either securityadmin or sysadmin. Using a non-admin account I only see roles (db_owner, db_access_admin, db_security_admin, db_ddladmin, etc), public, sa, dbo, guest, INFORMATION_SCHEMA, sys, and the non-admin user doing the select. I don't see any windows-authenticated accounts nor any other database accounts.
I need to read both sys.server_principals and sys.database_principals using a non-privileged account and retrieve information about ALL accounts.
Does anyone have any suggestions how I can get this information?
Thanks.
March 30, 2009 at 3:18 pm
If you do a sp_helptext on sys.server_principals or sys.database_principals you can see that MS is only showing roles and default logins/users and the logged in user intentionally. I would guess that someone smarter than I would be able to tell you how to get around it.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
March 30, 2009 at 3:40 pm
I'm not familiar with sp_helptext but I did grab the mssqlsystemresouce database and look at the source for sys.server_principals and saw where they're restricting (using the function has_access) what rows are returned. Unfortunately, I can't directly query the underlying table/view on which server_principals is based.
How are other people doing this kind of SOX access review?
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply