Technical Article

Extracting Logins From SQL Server

,

I've had these three scripts in my toolbox for years, probably since it was originally published by MS as KB 246133. I never liked that they were stored procedures, nor did I like the need to create "helper" stored procedure 'sp_hexadecimal'.

So, the three scripts are now re-written as individual scripts; you can change the parameters @login_name, @include_db and @include_role to suit your needs/purposes.

/*******************************************************
* SQL 2005 Extract Logins 
* Hugh Scott
* 2010/01/06
*
* Description:
* Modified from the original to remove dependency on sp_VarbinaryToHex
* stored procedure. Other minor modifications as well.
*
* Modification History:
* Date            Initials    Modification
* 2010/01/06    HMS            - Original
*
*********************************************************/use master

DECLARE @login_name sysname 

SET @login_name = null

DECLARE @name sysname
DECLARE @type varchar (1)
DECLARE @hasaccess int
DECLARE @denylogin int
DECLARE @is_disabled int
DECLARE @PWD_varbinary varbinary (256)
DECLARE @PWD_string varchar (514)
DECLARE @SID_varbinary varbinary (85)
DECLARE @SID_string varchar (514)
DECLARE @tmpstr varchar (1024)
DECLARE @is_policy_checked varchar (3)
DECLARE @is_expiration_checked varchar (3)

DECLARE @defaultdb sysname

IF (@login_name IS NULL)
 DECLARE login_curs CURSOR FOR

 SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM 
sys.server_principals p LEFT JOIN sys.syslogins l
 ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name <> 'sa'
ELSE
 DECLARE login_curs SCROLL CURSOR FOR


 SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM 
sys.server_principals p LEFT JOIN sys.syslogins l
 ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name = @login_name
OPEN login_curs

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
IF (@@fetch_status = -1)
BEGIN
 PRINT 'No login(s) found.'
 CLOSE login_curs
 DEALLOCATE login_curs
 -- RETURN -1
END
SET @tmpstr = '/* sp_help_revlogin script '
PRINT @tmpstr
SET @tmpstr = '** Generated ' + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'
PRINT @tmpstr
PRINT ''
WHILE (@@fetch_status <> -1)
BEGIN
 IF (@@fetch_status <> -2)
 BEGIN
 PRINT ''
 SET @tmpstr = '-- Login: ' + @name
 PRINT @tmpstr
 IF (@type IN ( 'G', 'U'))
 BEGIN -- NT authenticated account/group

 SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' FROM WINDOWS WITH DEFAULT_DATABASE = [' + @defaultdb + ']'
 END
 ELSE BEGIN -- SQL Server authentication
 -- obtain password and sid
 SET @PWD_varbinary = CAST( LOGINPROPERTY( @name, 'PasswordHash' ) AS varbinary (256) )
 -- EXEC sp_hexadecimal @PWD_varbinary, @PWD_string OUT
 SELECT @PWD_string = master.dbo.fn_varbintohexstr(@PWD_varbinary)


 -- EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
        SELECT @SID_string = master.dbo.fn_varbintohexstr(@SID_varbinary)

 -- obtain password policy state
 SELECT @is_policy_checked = CASE is_policy_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name
 SELECT @is_expiration_checked = CASE is_expiration_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name

 SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' WITH PASSWORD = ' + @PWD_string + ' HASHED, SID = ' + @SID_string + ', DEFAULT_DATABASE = [' + @defaultdb + ']'

 IF ( @is_policy_checked IS NOT NULL )
 BEGIN
 SET @tmpstr = @tmpstr + ', CHECK_POLICY = ' + @is_policy_checked
 END
 IF ( @is_expiration_checked IS NOT NULL )
 BEGIN
 SET @tmpstr = @tmpstr + ', CHECK_EXPIRATION = ' + @is_expiration_checked
 END
 END
 IF (@denylogin = 1)
 BEGIN -- login is denied access
 SET @tmpstr = @tmpstr + '; DENY CONNECT SQL TO ' + QUOTENAME( @name )
 END
 ELSE IF (@hasaccess = 0)
 BEGIN -- login exists but does not have access
 SET @tmpstr = @tmpstr + '; REVOKE CONNECT SQL TO ' + QUOTENAME( @name )
 END
 IF (@is_disabled = 1)
 BEGIN -- login is disabled
 SET @tmpstr = @tmpstr + '; ALTER LOGIN ' + QUOTENAME( @name ) + ' DISABLE'
 END
 PRINT @tmpstr
 END

 FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
 END
CLOSE login_curs
DEALLOCATE login_curs
-- RETURN 0
GO



/*******************************************************
* SQL 2000 Extract Logins 
* Hugh Scott
* 2010/01/06
*
* Description:
* Modified from the original to remove dependency on sp_VarbinaryToHex
* stored procedure. Other minor modifications as well.
*
* Modification History:
* Date            Initials    Modification
* 2010/01/06    HMS            - Original
*
*********************************************************/DECLARE @login_name sysname
DECLARE @include_db bit 
DECLARE @include_role bit

SET @login_name = null
SET @include_db = 1
SET @include_role = 1

DECLARE @name sysname
DECLARE @xstatus int
DECLARE @binpwd varbinary (256)
DECLARE @txtpwd sysname
DECLARE @tmpstr varchar (256)
DECLARE @SID_varbinary varbinary(85)
DECLARE @SID_string varchar(256)

IF (@login_name IS NULL)
 DECLARE login_curs CURSOR FOR 
 SELECT sid, name, xstatus, password FROM master..sysxlogins 
 WHERE srvid IS NULL AND name <> 'sa'
ELSE
 DECLARE login_curs SCROLL CURSOR FOR 
 SELECT sid, name, xstatus, password FROM master..sysxlogins 
 WHERE srvid IS NULL AND name = @login_name
OPEN login_curs 
FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd
IF (@@fetch_status = -1)
BEGIN
 PRINT 'No login(s) found.'
 CLOSE login_curs 
 DEALLOCATE login_curs 
 -- RETURN -1
END
SET @tmpstr = '/* sp_help_revlogin script ' 
PRINT @tmpstr
SET @tmpstr = '** Generated ' 
 + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'
PRINT @tmpstr
PRINT ''
PRINT 'DECLARE @pwd sysname'
WHILE (@@fetch_status <> -1)
BEGIN
 IF (@@fetch_status <> -2)
 BEGIN
 PRINT ''
 SET @tmpstr = '-- Login: ' + @name
 PRINT @tmpstr 
 IF (@xstatus & 4) = 4
 BEGIN -- NT authenticated account/group
 IF (@xstatus & 1) = 1
 BEGIN -- NT login is denied access
 SET @tmpstr = 'EXEC master..sp_denylogin ''' + @name + ''''
 PRINT @tmpstr 
 END
 ELSE BEGIN -- NT login has access
 SET @tmpstr = 'EXEC master..sp_grantlogin ''' + @name + ''''
 PRINT @tmpstr 
 END
 END
 ELSE BEGIN -- SQL Server authentication
 IF (@binpwd IS NOT NULL)
 BEGIN -- Non-null password
 -- EXEC sp_hexadecimal @binpwd, @txtpwd OUT
 SELECT @txtpwd = master.dbo.fn_varbintohexstr(@binpwd)
 IF (@xstatus & 2048) = 2048
 SET @tmpstr = 'SET @pwd = CONVERT (varchar(256), ' + @txtpwd + ')'
 ELSE
 SET @tmpstr = 'SET @pwd = CONVERT (varbinary(256), ' + @txtpwd + ')'
 PRINT @tmpstr
    -- EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
    SELECT @SID_string = master.dbo.fn_varbintohexstr(@SID_varbinary)
 SET @tmpstr = 'EXEC master..sp_addlogin ''' + @name 
 + ''', @pwd, @sid = ' + @SID_string + ', @encryptopt = '
 END
 ELSE BEGIN 
 -- Null password
    EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
 SET @tmpstr = 'EXEC master..sp_addlogin ''' + @name 
 + ''', NULL, @sid = ' + @SID_string + ', @encryptopt = '
 END
 IF (@xstatus & 2048) = 2048
 -- login upgraded from 6.5
 SET @tmpstr = @tmpstr + '''skip_encryption_old''' 
 ELSE 
 SET @tmpstr = @tmpstr + '''skip_encryption'''
 PRINT @tmpstr 
 END
 END
 FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd
 END
CLOSE login_curs 
DEALLOCATE login_curs 
-- RETURN 0
GO


/*******************************************************
* SQL 2000 Extract Logins and Roles
* Hugh Scott
* 2010/01/06
*
* Description:
* Modified from the original to remove dependency on sp_VarbinaryToHex
* stored procedure. Other minor modifications as well.
*
* Modification History:
* Date            Initials    Modification
* 2010/01/06    HMS            - Original
*
*********************************************************/DECLARE @login_name sysname
DECLARE @include_db bit 
DECLARE @include_role bit

SET @login_name = null
SET @include_db = 1
SET @include_role = 1

DECLARE @name sysname 
DECLARE @xstatus int 
DECLARE @binpwd varbinary (256) 
DECLARE @dfltdb varchar (256) 
DECLARE @txtpwd sysname 
DECLARE @tmpstr varchar (256) 
DECLARE @SID_varbinary varbinary(85) 
DECLARE @SID_string varchar(256) 

IF (@login_name IS NULL) 
DECLARE login_curs CURSOR FOR 
SELECT sid, [name], xstatus, password, isnull(db_name(dbid), 'master') 
FROM master.dbo.sysxlogins 
WHERE srvid IS NULL AND 
[name] <> 'sa' 
ELSE 
DECLARE login_curs SCROLL CURSOR FOR 
SELECT sid, [name], xstatus, password, isnull(db_name(dbid), 'master') 
FROM master.dbo.sysxlogins 
WHERE srvid IS NULL AND 
[name] = @login_name 

OPEN login_curs 

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 

IF (@@fetch_status = -1) 
BEGIN 
    PRINT 'No login(s) found.' 
    CLOSE login_curs 
    DEALLOCATE login_curs 

END 

SET @tmpstr = '/* sp_help_revlogin script ' 
PRINT @tmpstr 
SET @tmpstr = '** Generated ' 
+ CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */' 
PRINT @tmpstr 
PRINT '' 
PRINT '' 
PRINT '' 
PRINT '/***** CREATE LOGINS *****/' 

WHILE @@fetch_status = 0 
BEGIN 
PRINT '' 
SET @tmpstr = '-- Login: ' + @name 
PRINT @tmpstr 

IF (@xstatus & 4) = 4 
BEGIN -- NT authenticated account/group 
IF (@xstatus & 1) = 1 
BEGIN -- NT login is denied access 
SET @tmpstr = '' --'EXEC master..sp_denylogin ''' + @name + '''' 
PRINT @tmpstr 
END 
ELSE 
BEGIN -- NT login has access 
SET @tmpstr = 'IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE [name] = ''' + @name + ''')' 
PRINT @tmpstr 
SET @tmpstr = CHAR(9) + 'CREATE LOGIN [' + @name + '] FROM WINDOWS' 
PRINT @tmpstr 
END 
END 
ELSE 
BEGIN -- SQL Server authentication 
-- EXEC sp_hexadecimal @SID_varbinary, @SID_string OUT 
SELECT @SID_string = master.dbo.fn_varbintohexstr(@SID_varbinary)

IF (@binpwd IS NOT NULL) 
BEGIN -- Non-null password 
-- EXEC sp_hexadecimal @binpwd, @txtpwd OUT 
SELECT @txtpwd = master.dbo.fn_varbintohexstr(@binpwd)

SET @tmpstr = 'CREATE LOGIN [' + @name + '] WITH PASSWORD=' + @txtpwd + ' HASHED' 
END 
ELSE 
BEGIN -- Null password 
SET @tmpstr = 'CREATE LOGIN [' + @name + '] WITH PASSWORD=''''' 
END 

SET @tmpstr = @tmpstr + ', CHECK_POLICY=OFF, SID=' + @SID_string 
PRINT @tmpstr 
END 

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 
END 

IF @include_db = 1 
BEGIN 
PRINT '' 
PRINT '' 
PRINT '' 
PRINT '/***** SET DEFAULT DATABASES *****/' 

FETCH FIRST FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 

WHILE @@fetch_status = 0 
BEGIN 
PRINT '' 
SET @tmpstr = '-- Login: ' + @name 
PRINT @tmpstr 

SET @tmpstr = 'ALTER LOGIN [' + @name + '] WITH DEFAULT_DATABASE=[' + @dfltdb + ']' 
PRINT @tmpstr 

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 
END 
END 

IF @include_role = 1 
BEGIN 
PRINT '' 
PRINT '' 
PRINT '' 
PRINT '/***** SET SERVER ROLES *****/' 

FETCH FIRST FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 

WHILE @@fetch_status = 0 
BEGIN 
PRINT '' 
SET @tmpstr = '-- Login: ' + @name 
PRINT @tmpstr 

IF @xstatus &16 = 16 -- sysadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''sysadmin''' 
PRINT @tmpstr 
END 

IF @xstatus &32 = 32 -- securityadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''securityadmin''' 
PRINT @tmpstr 
END 

IF @xstatus &64 = 64 -- serveradmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''serveradmin''' 
PRINT @tmpstr 
END 

IF @xstatus &128 = 128 -- setupadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''setupadmin''' 
PRINT @tmpstr 
END 

IF @xstatus &256 = 256 --processadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''processadmin''' 
PRINT @tmpstr 
END 

IF @xstatus &512 = 512 -- diskadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''diskadmin''' 
PRINT @tmpstr 
END 

IF @xstatus &1024 = 1024 -- dbcreator 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''dbcreator''' 
PRINT @tmpstr 
END 

IF @xstatus &4096 = 4096 -- bulkadmin 
BEGIN 
SET @tmpstr = 'exec master.dbo.sp_addsrvrolemember @loginame=''' + @name + ''', @rolename=''bulkadmin''' 
PRINT @tmpstr 
END 

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @xstatus, @binpwd, @dfltdb 
END 
END 

CLOSE login_curs 
DEALLOCATE login_curs

Rate

2.75 (4)

You rated this post out of 5. Change rating

Share

Share

Rate

2.75 (4)

You rated this post out of 5. Change rating