Rename security group in AD, and mapped SQL login - sql-server

Example:
Lets say I have a group named group_01, the group is mapped to a SQL Server an given some rights on some stuff.
When I rename the group in Active Directory to any value, lets say group_01_OLD.
The group name wont change in SQL Server, it's still group_01
Is this normal behavior? Can I force SQL to rename the group when renamed in AD?

An full answer is buried in the comments here: https://dba.stackexchange.com/questions/13766/user-windows-login-name-has-been-changed-in-ad-yet-session-in-sql-2008-profiler
Basically, a reboot of the whole server should pick up the change (assuming replication to all the DCs has already happened).
If you can't do that, you could try manually updating the name of the login:
ALTER LOGIN [domain\group_01] WITH NAME = [domain\group_01_OLD];

To complement Gabriel’s answer. Given your scenario (you have granted permissions to the group group_01 ), you must change the name in SQL using the ALTER LOGIN command
ALTER LOGIN [domain\group_01] WITH NAME = [domain\group_01_OLD];
The reason for this is that SQL Server looks for a matching login catalog views (i.e. sys.server_principals) within SQL itself before asking AD.
NOTE: When you rename a Windows login, SQL Server will verify that the new name matches the SID to verify that the login renaming is valid.
-Raul Garcia

A reboot do not fix anything as far as I've experienced. SID is of course the same but besides the change of login with...
ALTER LOGIN [domain\previousgroupname] WITH NAME = [domain\newgroupname];
...you also need to change Security\Users for each database the login has a role in, if you want the change reflected everywhere and not having mismatches between logins and users. Can be done using Management studio, editing the group at Security\Logins and Mapping. Untick database, tick and choose role again. Or using ALTER USER but that's just a lot more typing.
USE [db]
ALTER USER [domain\previousgroupname] WITH NAME=[domain\newgroupname];

Related

How to change dbo ownership to another user login in SQL Server 2008?

The existing Windows Server 2008 R2 with SQL Server 2008 was moved to another domain. The existing dbo owner belongs to the old domain.
I need to change the dbo ownership to a new login user, not to a 'sa'. I have seen some sample codes but I am not sure the correct syntax for the new user name.
I have already tried changing the ownership using within SQL Server Management Studio, properties of the database and changing the value from the files but it did work.
For instance, I see someone suggesting:
-- in master db
CREATE LOGIN [login1] WITH PASSWORD = '{Some Password}'
CREATE USER **[login1]** FOR LOGIN **[login1]**
-- in user db
CREATE USER **[login1]** FOR LOGIN **[login1]**
ALTER ROLE [db_owner] ADD MEMBER **[login1]**
the question I have is the [login1] format.
Usually, the login is: domain\username
How do I replace the [login1] with the actual login name? What is the correct format?
Besides changing the dbo ownership, I would like to know if there is anything else that needs to be done, as standard procedures, when the server where the SQL database is installed, has changed to a different domain.
Thank you
The T-SQL statement ALTER AUTHORIZATION ON DATABASE::YourDatabase TO Login1; will change the database owner per the documentation.
The login or database name need only be enclosed when it doesn't conform to regular identifier naming rules (like Windows logins with the backslash). So for a domain user, they syntax with square brackets is:
ALTER AUTHORIZATION ON DATABASE::YourDatabase TO [YourDomain\Login1];
or alternatively double quotes:
ALTER AUTHORIZATION ON DATABASE::YourDatabase TO "YourDomain\Login1";
I suggest you avoid using a domain user as the database owner going forward. This way, you won't have the problem when the computer domain changes or if the owning domain account becomes invalid for some reason, such as the individual leaves the organization.

Windows NT user or group 'DOMAIN\USER' not found?

I am trying to create users on a SQL server from an Active Directory group as an application I am working with does not natively support Windows authentication and relies upon individual logins being created on the SQL server, as application level permissions are managed in the application rather than using SQL roles. Due to this, each user that is to access the application needs their own user creating against the SQL instance that the applications database is on, so that the user can then be assigned individual permissions within the application.
I am reading the list of users from the Active Directory group we have designated using the following;
exec master..xp_logininfo 'domain\groupname', 'members'
This returns output similar to the following;
account name type privilege mapped login name permission path
DOMAIN\USER user user DOMAIN\USER DOMAIN\GROUPNAME
For the most part, the users returned in this list can be created on the SQL instance without any drama. I am creating the users as SQL accounts using sp_grantlogin in the first instance, before moving on to allow each new login access to the application database. However, a handful of users are being reported as not existing. I get the following error as a result of running sp_grantlogin;
Msg 15401, Level 11, State 1, Procedure sp_grantlogin, Line 49
Windows NT user or group 'DOMAIN\USER' not found. Check the name again.
Obviously in the above error message, I have removed the actual username. Why would xp_logininfo return a user that cannot be created with sp_grantlogin? Is there anything obvious that I am missing?
This just means that the user is not in the Administrator group. If your problem is like mine where your Active Directory in on a different Virtual Machine, and your SQL Server on another. And you have joined Active Directory Domain to your SQL Server Virtual Machine, then you have to do the following on your SQL Server Virtual MAchine.
Navigate to Tools --> Computer Management.
The windows opens, Expand System Tools --> Local Users and Groups.
Click on Groups and you should see a list of groups to the right
column of the window.
Double click Administrator, a new window opens and you will notice that the linked User is not under there.
Click Add, new window opens. Here, under location, you may chose to change
location of your domain.
Click Advanced, a log in prompt opens, simply log in with you administrator Virtual Machine account.
Click Find Now with all fields as is. From a list of users presented, double click the user imported from Active Directory and click Ok.
Do you change the case of the login name before using sp_grantlogin?
If you have a case sensitive server collation, then the case of the AD user nneds to be specified in exactly the right case.
You can find the server collation by doing:
select serverproperty('collation')
If you do have a case sensitive server collation, and you don't mess with the case, there is probably a mismatch with what xp_logininfo is returning and the actual case in AD. In which case, try creating the user with variations on the case.
If none of this applies, look into the account. Is it disabled, can you log in with it, etc.. If suser_sid() returns null, then there must be some kind of problem with it.
I can give you my advice from doing this in Windows 7 although it may not be relevant.
The problem I had was that I had renamed the user account in the Windows UI. The name appeared correctly in Windows, and I used the new name to log on. But behind the scenes it was still using the old name which was what SQL Server was looking for.
I struggled with this for HOURS before I finally worked it out!!
I have also faced this error for users, who was:
created in AD
granted some SQL permissions
renamed in AD
Then I try to add this new, renamed user account name to the same server/database, error Msg 15401, Level 11, State 1, Procedure sp_grantlogin, Line 49 appears.
I have followed steps in http://support.microsoft.com/kb/324321/en-us and this command returned old user account name befor rename:
SELECT name FROM syslogins WHERE sid = SUSER_SID ('YourDomain\YourLogin')
it returned
YourDomain\OldLogin
after executing
exec sp_revokelogin 'YourDomain\OldLogin'
problem was fixed, sp_grantlogin now works ok.
PS as another test method I suggest running sp_grantlogin remotely, from another server. It may succeed to.
I had a very similar case, the same error code 15401, but in this case what I was doing was adding users from the Domain, into a group in the server where I had SQL; so then just add the group to SQL engine with the same ROLE.
USE [master]
GO
CREATE LOGIN [localhost\Administrators] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
Msg 15401, Level 16, State 1, Line 3
Windows NT user or group 'localhost\Administrators' not found. Check the name again.
Then in the link PRB: Use BUILTIN\Group to Grant Access to Predefined Windows NT Groups
I found the issue, so the solution was:
USE [master]
GO
CREATE LOGIN [BUILTIN\Administrators] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [BUILTIN\Administrators]
GO
Command(s) completed successfully.
I believe this is great to diminish the number of login accounts, and have a more manageable number of users assigned to the roles in the SQL server.
If you're using a non-English language, or have been using one on your machine, you might have to localize the user details you're trying to use.
E.g. [NT AUTHORITY\Network Service] on a Swedish machine is [NT INSTANS\Nätverkstjänst].
Spent hours trying to figure out why BUILTIN\, NT AUTHORITY\, <MachineName>\ etc. didn't work.
My issue was the length of the login. In Domain\User syntax, Windows uses the so called pre-Windows 2000 syntax. That syntax limits the length of the username to 20 characters. You have to truncate the username to the first 20 characters and then it should work, like so:
Domain\Abcdefghijklmnopqrstuvwxyz
Becomes
Domain\Abcdefghijklmnopqrst

Copying SQL Server Express database to another server

I need to copy a SQL Server Express database from one one server to another (virtual) server.
I know how to do this for the database itself - with a backup and restore. I have also looked at this and this which show how to script this - that's great.
However, I also need the permissions to go with it but can't figure out how to do that.
Any pointers would be warmly welcomed.
The logins need to exist already on the destination server, but once they exist, you can wire-up the logins back to the users with a script like this:
sp_change_users_login 'Update_One', 'user-name', 'login-name'
More information on sp_change_users_login can be found on MSDN
Logins are at a server level. Users are at a per-database level. Generally I keep the login name and user name the same to avoid confusion, but they can be different. The Users define the permissions within the database and you've not lost them, just the link to the login.
As an alternative to sp_change_users_login
ALTER USER username WITH LOGIN = newlogin

SQL Server: how to change login

I have many users in one database. All these users are named using "domain\" as a prefix. I would like to rename these user names by dropping this domain name from the user name. How to do that? In SQL Server Management Studio GUI user name is grayed and cannot be changed?
You do not. The DOMAIN\user user is a user that has no password and is tied to a DOMAIN ACCOUNT. If you drop the DOMAIN\ refix, you ahve to assign it a password, basically moving authentication into the database.
User names can not be chanegd in SQL - you have to drop and recreate the login, then recreate the users in the databases.

Cannot Add a Sql Server Login

When I try to create a SQL Server Login by saying
CREATE LOGIN [ourdomain\SQLAccessGroup] FROM WINDOWS;
I get this error
The server principal 'ourdomain\SQLAccessGroup' already exists.
However, when I try this code
DROP LOGIN [ourdomain\SQLAccessGroup]
I get this error
Cannot drop the login 'ourdomain\SQLAccessGroup', because it does not exist or you do not have permission.
The user that I am executing this code as is a sysadmin. Additionally, the user ourdomain\SQLAccessGroup does not show up in this query
select * from sys.server_principals
Does anyone have any ideas?
We are still struggling to understand the HOW of this issue, but it seems that [ourdomain\SQLAccessGroup] was aliased by a consultant to a different user name (this is part of an MS CRM installation). We finally were able to use some logic and some good old SID comparisons to determine who was playing the imposter game.
Our hint came when I tried to add the login as a user to the database (since it supposedly already existed) and got this error:
The login already has an account under a different user name.
So, I started to examine each DB user and was able to figure out the culprit. I eventually tracked it down and was able to rename the user and login so that the CRM install would work. I wonder if I can bill them $165.00 an hour for my time... :-)
is this when you are restoring from a backup or something? I've found that the following works for me in situations when I'm having problems with user accounts in sql
EXEC sp_change_users_login ‘Auto_Fix’, ‘user_in_here’
This happened to me when I installed SQL Server using a Windows username and then I renamed the computer name and the Windows username from Windows. SQL server still has the old "Computername\Username" in its node of Server->Security->Logins.
The solution is to go to Server->Security->Logins and right-click -> rename the old Windows user and use the new MachineName\Username.
I faced similar issue and i believe the issue was as a result of trying to recreate a login account after deleting an existing one with same name.
Just go through the various databases on the server using SQL Studio.
Example steps:
DBName ->Security->users
at this level for each of the databases, you may see the name of the user account there. Delete all occurrence in each Database as well as its occurrence in the top level Security settings at
Security->Logins
When done, try recreating the login account again and you should be fine.
I had the same story as Shadi.
On the top I can add that it can be also done by query:
ALTER LOGIN "oldname\RMS" WITH name="currentname\RMS"

Resources