Technical Article

dropUnusedLogins

,

For those site using SQL Server ids as opposed to Integrated security there may be instances where occasionally SQL Server logins might get 'orphaned'. That is the login is not a member of any server group that has general database access nor does that login have specific access to any particular database.  Compile this proc in master and run periodically to delete these logins as a potential security exposure.  If you would rather not delete the ids, comment out the line "EXEC sp_droplogin @username" and the proc will just report on ids that would be removed.  Then you can decide whether these ids should or should not be removed.  

DECLARE @username sysname
DECLARE @objname  sysname
DECLARE @found integer
DECLARE @sql nvarchar(4000)

SET     @username = ' '
WHILE@username IS NOT NULL
BEGIN
SELECT @username = MIN(name)
FROM master.dbo.syslogins 
WHERE sysadmin = 0
AND securityadmin = 0
AND serveradmin = 0
AND setupadmin = 0
AND processadmin = 0
AND diskadmin = 0
AND dbcreator = 0
AND bulkadmin = 0
AND name > @username
-- this is the list of non system logins
-- ids in server roles may not have corresponding users
-- any database but they should not be rremoved
SET  @found = 0

IF @username IS NOT NULL
BEGIN
--  now we search through each non system database 
--  to see if this login has database access
SET  @objname = ''
WHILE@objname IS NOT NULL
BEGIN
SELECT @objname = MIN( name ) FROM master.dbo.sysdatabases
WHERE name NOT IN ('master', 'model', 'msdb', 'tempdb')
AND name > @objname

IF@objname IS NOT NULL
BEGIN
SET @sql = N'SELECT @found = COUNT(*) FROM ' + @objname 
+ N'.dbo.sysusers s JOIN master.dbo.sysxlogins x 
ON s.sid = x.sid WHERE hasdbaccess = 1 AND x.name = '''+ @username + ''''

EXEC sp_executesql @sql,N'@found Int OUTPUT',@found OUTPUT
--SELECT @found, @objname, @username
IF @found IS NOT NULL AND @found > 0 
SET @objname = 'zzzzz'  -- terminate as a corresponding user has been found
END
END
IF @found = 0 
BEGIN
EXEC sp_droplogin @username
SELECT @username + ' was removed ' + CONVERT(varchar(23),getdate())
END
END
END

Rate

You rated this post out of 5. Change rating

Share

Join the discussion and add your comment

Share

Rate

You rated this post out of 5. Change rating

Related content

SQLServerCentral Article

Harnessing SQL Server Metadata- Disabling and Rebuilding Indexes

When doing bulk data changes it may be beneficial to disable indexes prior to starting the operation. Fortunately, SQL's rich metadata makes this very easy to automate in a robust fashion.

4.92 (12)

You rated this post out of 5. Change rating

2018-05-18 (first published: )

4,845 reads

Technical Article

Query to Display Trigger Status

Ever wanted to know whether your triggers are enabled or not? The ObjectProperty command allows you to select information about the status of objects in your database, returning 1 for True and 0 for False. The example below determines whether a single trigger is disabled. SELECT ObjectProperty(object_id('Trigger_Name'), 'ExecIsTriggerDisabled') There are a number of other useful […]

5 (1)

You rated this post out of 5. Change rating

2001-10-28

1,267 reads