Who TOOK the backup?

  • The situation is that someone took the backup of the DB (which nobody should), which made the available space on the drive very low. Now nobody knows about it and the manager is pissed. Is there a way to find out who took the backup?

    "He who learns for the sake of haughtiness, dies ignorant. He who learns only to talk, rather than to act, dies a hyprocite. He who learns for the mere sake of debating, dies irreligious. He who learns only to accumulate wealth, dies an atheist. And he who learns for the sake of action, dies a mystic."[/i]

  • I am not sure about this, but I think you can go in like you are restoring the backup. At the backup sets to restore it give a username, I think this is the user that took the backup.

  • You can get this information from msdb.dbo.backupset

    SELECT name,

    description,

    user_name,

    database_creation_date,

    backup_start_date,

    backup_finish_date,

    backup_size,

    database_name,

    server_name,

    machine_name

    FROM msdb.dbo.backupset

    "I cant stress enough the importance of switching from a sequential files mindset to set-based thinking. After you make the switch, you can spend your time tuning and optimizing your queries instead of maintaining lengthy, poor-performing code."

    -- Itzik Ben-Gan 2001

  • Alan.B (7/1/2014)


    You can get this information from msdb.dbo.backupset

    SELECT name,

    description,

    user_name,

    database_creation_date,

    backup_start_date,

    backup_finish_date,

    backup_size,

    database_name,

    server_name,

    machine_name

    FROM msdb.dbo.backupset

    Thanks. It gave me all the details.

    I also right clicked on the backup set -->properties and then details which also gave me the user who took the backup.

    "He who learns for the sake of haughtiness, dies ignorant. He who learns only to talk, rather than to act, dies a hyprocite. He who learns for the mere sake of debating, dies irreligious. He who learns only to accumulate wealth, dies an atheist. And he who learns for the sake of action, dies a mystic."[/i]

  • New Born DBA (7/1/2014)


    I also right clicked on the backup set -->properties and then details which also gave me the user who took the backup.

    That'll most likely be the output from RESTORE HEADERONLY, another way to do it 🙂

    RESTORE HEADERONLY FROM DISK = N'path to .bak file'

    Gaz

  • New Born DBA (7/1/2014)


    Alan.B (7/1/2014)


    You can get this information from msdb.dbo.backupset

    SELECT name,

    description,

    user_name,

    database_creation_date,

    backup_start_date,

    backup_finish_date,

    backup_size,

    database_name,

    server_name,

    machine_name

    FROM msdb.dbo.backupset

    Thanks. It gave me all the details.

    I also right clicked on the backup set -->properties and then details which also gave me the user who took the backup.

    NP. Glad to help!

    "I cant stress enough the importance of switching from a sequential files mindset to set-based thinking. After you make the switch, you can spend your time tuning and optimizing your queries instead of maintaining lengthy, poor-performing code."

    -- Itzik Ben-Gan 2001

  • New Born DBA (7/1/2014)


    The situation is that someone took the backup of the DB (which nobody should), which made the available space on the drive very low. Now nobody knows about it and the manager is pissed. Is there a way to find out who took the backup?

    This is one of many reasons why it's important that only DBAs can do backups, which normally means that only DBAs have SA privs.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden (7/1/2014)This is one of many reasons why it's important that only DBAs can do backups, which normally means that only DBAs have SA privs.

    I completely agree with you, but there are around 4 or 5 users who have SA privs.

    I don't know much about it, but I was thinking maybe setting up proxy to help us catch the culprit next time? I mean I already know SA user took the backup but I don't know who logged in as SA.

    "He who learns for the sake of haughtiness, dies ignorant. He who learns only to talk, rather than to act, dies a hyprocite. He who learns for the mere sake of debating, dies irreligious. He who learns only to accumulate wealth, dies an atheist. And he who learns for the sake of action, dies a mystic."[/i]

  • You could capture a lot more information using extended events. You can usually capture machine name and other information with it. I'm not sure which event I'd set this one up for. There's not a specific backup related event. You would have to try to capture the T-SQL statement I suppose, but that means a string search to see the command "BACKUP DATABASE." Maybe not the most efficient method. However, it would work.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • New Born DBA (7/1/2014)


    Jeff Moden (7/1/2014)This is one of many reasons why it's important that only DBAs can do backups, which normally means that only DBAs have SA privs.

    I completely agree with you, but there are around 4 or 5 users who have SA privs.

    I don't know much about it, but I was thinking maybe setting up proxy to help us catch the culprit next time? I mean I already know SA user took the backup but I don't know who logged in as SA.

    change the sa password (to something strong) and then disable it. There should not be a need to use sa. If people really need sysadmin grant it to their personal accounts or a windows group they are all members of.

    ---------------------------------------------------------------------

  • george sibbald (7/2/2014)change the sa password (to something strong) and then disable it. There should not be a need to use sa. If people really need sysadmin grant it to their personal accounts or a windows group they are all members of.

    Already changed the password.

    Thanks!

    "He who learns for the sake of haughtiness, dies ignorant. He who learns only to talk, rather than to act, dies a hyprocite. He who learns for the mere sake of debating, dies irreligious. He who learns only to accumulate wealth, dies an atheist. And he who learns for the sake of action, dies a mystic."[/i]

  • You can set up a server-side trace to capture who is logging in as sa- well, which hostname they logged in from, anyway. That might be worth doing if you have your suspicions (and are able to link a hostname to an individual).

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply