May 24, 2021 at 8:38 pm
I am confused by some results I am getting.
If I run this
EXEC xp_logininfo [MyDomain\LisaM] , 'all'
I get 4 results
account nametypeprivilege mapped login namepermission path
------------ ---- --------- ---------------- -----------------
MyDomain\LisaMuseruser MyDomain\LisaMMyDomain\DataUser
MyDomain\LisaMuseruser MyDomain\LisaMMyDomain\MechanicLogUsers
MyDomain\LisaMuseruser MyDomain\LisaMMyDomain\QA
MyDomain\LisaMuseruser MyDomain\LisaMMyDomain\ShopOrderEntry
But if I run this, based on 1 of the results above,
EXEC xp_logininfo 'MyDomain\MechanicLogUsers', 'members'
I do not get a result for MyDomain\LisaM
May 24, 2021 at 9:18 pm
Try this from cmd window:
NET GROUP MechanicLogUsers /DOMAIN
Does it show the user?
May 24, 2021 at 9:44 pm
NET GROUP Error: This command can be used only on a Windows Domain Controller.
The user does display in other groups.
If I run :
EXEC xp_logininfo 'MyDomain\ShopOrderEntry', 'members'
I do get a result for LisaM
May 24, 2021 at 9:59 pm
The results can be misleading when it's different group types - Universal (which xp_logininfo doesn't support), Global, Domain Local and when it involves nested groups. It can be a challenge when one group type is nested into another group type. I'd suspect its something like that going on.
Sue
May 25, 2021 at 6:47 am
Nested groups also, as a group can contain a group
So using your data as an example (this may or may not be right you need to go check AD with your WinTel admins key word example)
Lisa is a member of ShopOrderEntry.
ShopOrderEntry will be a member of MechanicLogUsers
If both of those groups are present on the SQL server it will evaluate that as two different permission paths.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply