December 16, 2009 at 8:49 am
Hi,
From one of the database data has been deleted. Appuser and some other user have read write access to the database. We have recover the data with the help of Full and Tlog backups.
Now I want to know the user who deleted the data. Any on this please.
December 16, 2009 at 9:27 am
The only way you can do this is if you've set up some auditing method prior to the deletes occurring or if you've got a trace running that captured the calls to the database. Otherwise, there's no real way of knowing after the fact.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 16, 2009 at 9:30 am
That data can probably be retreived from the transaction log.
ApexSQL (www.apexsql.com) has a log reader product called Apex SQL Log. You can get a free trial of it.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
December 16, 2009 at 11:09 am
Thank you for you replies.
I will try to download ApexSQL Log and will check. Thanks!
December 16, 2009 at 11:44 am
As far as I'm aware, what's in the log is the uid, the database user id. If the person who deleted the data was a sysadmin, that'll be dbo and there won't be any way to link that to a login.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
December 16, 2009 at 11:48 am
GilaMonster (12/16/2009)
As far as I'm aware, what's in the log is the uid, the database user id. If the person who deleted the data was a sysadmin, that'll be dbo and there won't be any way to link that to a login.
Absolutely, or if you've got a service account that the apps use for connecting, there's no individual login recorded there too. Or if your users are coming in through an AD group, same issue.
But, if your users are all coming in through individual logins, you might be able to get it.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 16, 2009 at 11:53 am
Grant Fritchey (12/16/2009)
GilaMonster (12/16/2009)
As far as I'm aware, what's in the log is the uid, the database user id. If the person who deleted the data was a sysadmin, that'll be dbo and there won't be any way to link that to a login.Absolutely, or if you've got a service account that the apps use for connecting, there's no individual login recorded there too. Or if your users are coming in through an AD group, same issue.
But, if your users are all coming in through individual logins, you might be able to get it.
Yep. But if there's any chance of getting it at all, log parsing is the only way I can think of.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply