An AD group has CONTROL SERVER permission on SQL Server 2016 and I want to remove the ability for any member of that AD group to run 'GRANT 'permission' ON 'object' TO 'database principal' or the DENY command.
How would I go about doing this?
Thanks!
Related
Unfortunately I cannot find an answer to my problem.
I need a SQL Server login that allows to access, read, write/edit content of (a specific or several) database(s) and not more. So I created a new Login in SQL Server -> Security -> Logins. I have given all rights (User Mapping: db_datareader,db_datawriter - and also explicit permissions) that are needed for the purpose, but I cannot login to the server engine using SSMS and the created login with (yes) the correct password.
I already looked at the SQL Server logs which state:
Login failed for user 'example'.
Reason: Login-based server access validation failed with an infrastructure error. Login lacks Connect SQL permission.
Error: 18456, Severity: 14, State: 146
Needless to say I have also already granted Connect SQL Permission. I have also "login" enabled (in login settings). The server is in mixed authentication mode, connect rights given. Of course I can give server roles to this login (sysadmin) and suddenly I can login to the server engine, but, as said, I'm trying to adjust the permissions to my needs. Also restarted the server.
Already tried: cannot login to sql server with new user created
and: SQL Server sysadmin user server role
Other sources state to give sysadmin role, but this can't be the answer.
Has anyone ever come across this? Am I missing something simple?
The basics of SQL Server server-level permissions are:
SQL Server does not check permissions for sysadmin role members
GRANT and DENY permissions are cumulative (i.e. direct and via role memberships)
DENY takes precedence over GRANT of the same permission
All logins are a member of the built-in public role
After creating a login, the login is implicitly granted CONNECT SQL and inherits only the limited (out-of-the-box) public role permissions.
Based on the info in your question and comments, the effect of the DENY CONNECT SQL TO public; is that only sysadmin role members can connect (per #1 above) and all other logins cannot connect (#2, #3, and #4).
It is generally a best practice to avoid DENY. There is never a need to DENY a permission that was not previously granted or inherited via role membership. DENY is used in specialized cases where one needs to negate a permission granted via role membership. A login will not have server-level permissions like ALTER SERVER STATE and SHUTDOWN unless it is explicitly granted to the login or role the login belongs to.
The example below will provision a login with access to a database and grant read/write permissions to a table.
CREATE LOGIN YourLogin WITH PASSWORD='<password-here>';
USE YourDatabase;
CREATE USER YourLogin;
GRANTT SELECT, INSERT, UPDATE, DELETE TO YourLogin;
Run the query below to identify permissions inadvertently granted or denied to the public server role and execute the REVOKE script to remove the permission. Only the default VIEW ANY DATABASE permissions will remain.
SELECT N'REVOKE ' + perm.permission_name COLLATE DATABASE_DEFAULT + N' FROM ' + prin.name + N';' --, perm.state_desc, perm.permission_name
FROM sys.server_principals AS prin
JOIN sys.server_permissions AS perm ON perm.grantee_principal_id = prin.principal_id
WHERE
prin.name = 'public'
AND perm.class_desc = 'Server'
AND perm.permission_name <> 'VIEW ANY DATABASE';
I am scheduling a job in SQL Server, but the SQL Server Agent is not visible in my SQL Server Management Studio and I am using version Microsoft SQL Azure. After creating user and assigning sysadmin roles to it, the problem still lying there.
I have created a user through Login under Security tab in Object Explorer. Assigned the sysadmin roles to that user as following through the link.
USE [master]
GO
CREATE LOGIN [test] WITH PASSWORD=N'Cppa!66***', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
EXEC master..sp_addsrvrolemember #loginame = N'test', #rolename = N'sysadmin'
GO
I expect the result as after creating and assigning roles, the SQL Server Agent option must be visible under Object Explorer, but Nothing changes.
You are running SQL Express on a VM. I guess the VM happens to be on Azure. Regardless of VM location, SQL Express does not have SQL Agent.
If you want to schedule activities you can remote on to the VM and use windows scheduler.
Using portal.azure.com I've created SQL Server and SQL Database. I've set myself as the SQL Server admin.
I'm able to connect with my AAD account using SSMS.
I add another AAD users to my database:
use [MyDatabase]
CREATE USER [usename_emaildomain#EXT##mydirectory.onmicrosoft.com] FROM EXTERNAL PROVIDER;
--add read permissions
EXEC sp_addrolemember 'db_datareader', [usename_emaildomain#EXT##mydirectory.onmicrosoft.com]
But how do grant him admin rights so that he has full access to all databases? I'm able to sent only one admin in Azure Portal.
I don't know why SQL Azure only allows one security principal to be designated as admin but anyway....
You can assign one user or one group. So put all of your users in a group and assign that group as the administrator
I have the following script which creates a new database, a new user and login. I have some custom software that my clients use to log into the database and create the necessary tables, SP and populate the tables with data. The databases are hosted remotely online which I have full access to.
**EDIT-> The problem I have is that I cannot open a new connection and create any tables using the new user. Its looks like a permissions issue as it works ok with sa root account login.
Ideally I would like run this single script so I can deploy a new database to a new client via SQL Server Management Studio easily with the minimal of fuss
Please see my script below:
-- SEARCH AND REPLACE THE FOLLOWING TERMS
--
-- db_TestDatabase Database name
-- TestPa$$w0rd password
-- TestUser1 username
use master
go
--create a test database
CREATE DATABASE [db_TestDatabase]
GO
--create user login
CREATE LOGIN [TestUser1] WITH PASSWORD=N'TestPa$$w0rd'
GO
--create user in database
CREATE USER [TestUser1] FOR LOGIN [TestUser1] WITH DEFAULT_SCHEMA=[test_Schema]
GO
--create role
CREATE ROLE [test_Role] AUTHORIZATION [dbo]
GO
--create schema
CREATE SCHEMA [test_Schema] AUTHORIZATION [TestUser1]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT CONTROL ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT DELETE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT INSERT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT UPDATE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT REFERENCES ON SCHEMA::[dbo] TO [test_Role]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'test_Role ', N'TestUser1'
GO
--allow users to create tables in test_Schema
GRANT CREATE TABLE TO [test_Role]
GO
--Allow user to connect to database
GRANT CONNECT TO [TestUser1]
Any suggestions would be appreciated.
Thank you
It could be a User Access Control issue, try right clicking Management Studio and Run as Administrator, if you have that privilege and it may get past the issue you're seeing.
Some related reading:
User Account Control and SQL Server
User Account Control affects Microsoft SQL Server in terms of
connectivity (SQL Server login) and in limiting access to resources on
the administrators’ access control list (ACL).
In versions earlier than Windows Vista and Windows Server 2008,
members of the local administrator group do not need their own SQL
Server logins and they do not need to be granted administrator
privileges inside SQL Server. They connect to SQL Server as the
built-in server principal BUILTIN\Administrators (B\A), and they have
administrator privileges because B\A is a member of the sysadmin fixed
server role. Administrator rights are stripped away in Windows Vista
and Windows Server 2008, so administrator users cannot connect to SQL
Server instance by virtue of being B\A, unless connecting from an
elevated client application.
SQL Server 2000 Standard, Windows 2003
My coworker removed 'BUILTIN\Administrators' group from SQL Server which results in 'SQL Server Agent' not working.
All my TSQLs to synchronize databases stopped working.
I have Administrator rights on the server and my database user is in sysadmin role.
Does any one have idea how to bring 'BUILTIN\Administrators' back without restoring master database from backup?
Edit: When I try to add Administrators or MACHINENAME\Administrators using Enterprise Manager I have this group on the list to choose, but when I accept my choice I have error:
Error 15041: Windows NT user or group 'MACHINENAME\Administrators' not found. Check the name again
of course instead of MACHINENAME I see my server name
Edit2: Found it
Login as sysadmin
Run following TSQL queries
EXEC sp_grantlogin 'BUILTIN\Administrators'
and
EXEC sp_addsrvrolemember 'BUILTIN\Administrators','sysadmin'
You don't want to re-add 'BUILTIN\Administrators' as it is a SQL Server 2000 security flaw. All domain administrators will have full sysadmin rights to your SQL Server to drop databases etc.
Find the account that is running SQL Agent (Right click SQL Server agent in enterprise manager and select properties). Then add this account as a SQL Server login using windows authentication and add it to the sysadmin fixed server role.
Another method is to connect to your SQL Server database with the "NT AUTHORITY\SYSTEM" account. This approach requires you to start SQL Server Management Studio as the system account. After connect, you can create a new login or reset sa password.
Using Enterprise Manager, can't you just go into Logins and add "Administrators" as a Windows Login to the server? Then add the login to the sysadmin role?
If you can't use "Administrators", try "MACHINENAME\Administrators" (obviously substituting MACHINENAME for the actual name).
Sorry I don't have a more definitive answer, I don't really want to try it :)