I am trying to grant a domain user to SQL Server 2008. This user should be able to login to the DB using server management studio, and run PowerShell scripts doing SELECT queries to a database. My problem is my settings does not persist.
In server management studio, I right click on Security->Logins->right click on ->Properties->User mappings-> tick my database which happens to be the first one, granted 'db_datareader' and 'public'.
Click OK.
No error pops up.
But when I check the user mappings again, my database is no longer ticked! What have I missed? Really puzzled... must be something very simple...
--update--:
soved: deleted the login+user, added them back,and the rest.. now ok. many thx!
It happens sometimes when user has no connect permission or the permission has been revoked.
Grant connect to [user]
use master;
GO
create login [<domain\user>] from windows;
GO
use [<yourdb>];
GO
create user [<domain\user>] for login [<domain\user>];
GO
ALTER ROLE db_datareader ADD MEMBER [<domain\user>];
GO
Related
how its possible to see 'sa' login in connection with login which have only granted to read some views? Probably cant to edit anything, but can see. And also can see list of databases, but cant to open. All in SQL Management Studio. Login just created by:
create login YourTpvLogin with password = 'enter new password here'
go
create user YourTpvUser for login YourTpvLogin
go
grant select on YourView to YourTpvUser
Thank you for explanation or way how to fix it.
Ok... First of all Every SQL Server login belongs to the public server role. Next - The public server role is granted VIEW ANY DATABASE permission which means that a login that is granted this permission can see metadata that describes all databases including master database which in turn records all the system-level information for a SQL Server system including information about SQl server logins and sa login of course is not an exception.
So... any new login can see all databases and logins but can't modify them.
Possible "solution" for hiding databases is to deny a login the VIEW ANY DATABASE permission.
To limit visibility to database metadata, deny a login the VIEW ANY
DATABASE permission. After this permission is denied, a login can see
only metadata for master, tempdb, and databases that the login owns.
And... you can't completely hide the sa login because every login must be able to read server's metadata from the master database.
I executed the task Take offline of a SQL Server 2008 R2 database.
I cant bring it online!
I tried with
USE master;
GO
ALTER DATABASE [DBNAME] SET ONLINE
I get an error.
User does not have permission to alter database 'DBNAME', the database
does not exist, or the database is not in a state that allows access
checks.
I also tried using the task Bring online and I get the exact same error.
Can anyone help me asap?
I think you're going to need to login with the SA account, or some other account with sysadmin privileges, and then run your code to put it back online. While you're in there, add sysadmin to your account, too. If you don't own the database, you may need to talk to someone else to get the SA password, or ask them to do it for you. Unless you don't have the SA password or it's been dumbed down for security reasons.
Your error is too generic to be usable. Do you actually have the rights to alter the database (I guess you do if you managed to bring it offline)? Can you access teh SQL logs (accessible in the tree via Management > SQL Server logs)? Are you sure the user who is executing the script is the one you expect?
Also, you can try any of the following
* restart the service then retry
* Use the mouse GUI o bring it online (right click on the DB, Tasks, Bring Online)
Had same problem, same error. Even logged on as SA and returned same error. On both problem database the owner was not SA.
Solved by attaching the database. This gives you the opportunity to rename the database was well assign an owner. Assigned owner as SA.
Detached failed database the renamed the newly attached database to the original name.
A lesson in always give SA ownership of new databases.
How can you hide databases you do not have access rights to when logging into SQL Server 2005 / 2008?
Currently if a user connects, they see all the databases on the server, meaning they have to scan though the list to find their database.
After hours of trying to figure out how to create a user account which only has access to 1 DB, and can only see that DB. I think i figured it out!!!!
Create a user account ( make sure its not mapped to any Database, otherwise you will get the final error Msg 15110, Level 16, State 1 and note proposed solution)
USE [master]
GO
CREATE LOGIN [us4]
WITH PASSWORD=N'123',
DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF
Right Click on the upper section of the SQL (SQLSERVER Name)>Properties>Permissions>Click on the user account, and select Deny to view databases.
use [master]
GO
DENY VIEW ANY DATABASE TO [us4]
Right Click on the newly created DB, Properties,Files, and change the Owner to the newly created account.(important note: ALTER ROLE [db_owner] ADD MEMBER [us4] does not work)
USE [dbname]
GO
EXEC dbo.sp_changedbowner #loginame = N'us4', #map = false
At this point, once the user logs in he will see the Master,tempdb and will also see the new DB which he is a DB Owner of..You may want to go to Tools>Option and enabled the option to hide system objects so that you don't show the master,tempdb,etc. You may also need SP1 if this option does not work
Msg 15110, Level 16, State 1, Line 1
The proposed new database owner is already a user or aliased in the database.
proposed solution to Msg 15110: to resolve above error simply delete the user from database security node and try again
Hope that helps...
Nikhil
This actually won't work the way that makes sense or that you might expect that it would.
You REVOKE VIEW ANY DATABASE from the public role, but then the user has to be the database owner of the database or it can't be seen, but it still can be accessed.
The problem is a Database Engine Security shortcoming and not likely to be fixed in the current or future release of SQL Server.
Erland Sommarskog opened the following connect item for this a while ago, and it recently was discussed on twitter and with Microsoft by the SQL MVP's.
Vote for the connect and help make it more of a priority for Microsoft to fix:
Connect Feedback
Basically the permissions are stored at the database level, so it would require enumerating each database to determine if the user has connect rights to display the database in the object explorer, which is an expensive task to perform and how the older EM used to do things.
The proposes solution is for this information to be maintained at the server level as well, which is a major change.
You would need to revoke the permission 'VIEW ANY DATABASE' from the role PUBLIC (SQL SERVER 2005 onwards)
Add user to DB as Db owner after removing VIEW ANY DATABASE rights
This will show only the database owned by the login in SSMS.
USE master; GO
DENY VIEW ANY DATABASE TO [loginname]; GO
USE [your db]; GO
DROP USER [loginname]; GO
USE master; GO
ALTER AUTHORIZATION ON DATABASE::[your db]TO [loginname]; GO
Note: this requires the login to exists already
There appears to be a server-side setting on MS SQL 2005 and 2008 to restrict the databases a user may see. I found the following text at sql-server-performance.com
In SQL Server 2005 it is possible with a new server side role that has been created. VIEW ANY DATABASE permission is a new, server-level permission. A login that is granted with this permission can see metadata that describes all databases, regardless of whether the login owns or can actually use a particular database. Please note By default, the VIEW ANY DATABASE permission is granted to the public role. Therefore, by default, every user that connects to an instance of SQL Server 2005 can see all databases in the instance.
I dropped a database from SQL Server, however it turns out that my login was set to use the dropped database as its default. I can connect to SQL Server Management Studio by using the 'options' button in the connection dialog and selecting 'master' as the database to connect to. However, whenever I try to do anything in object explorer, it tries to connect using my default database and fails.
Does anyone know how to set my default database without using object explorer?
What you can do is set your default database using the sp_defaultdb system stored procedure. Log in as you have done and then click the New Query button. After that simply run the sp_defaultdb command as follows:
Exec sp_defaultdb #loginame='login', #defdb='master'
Alternative to sp_defaultdb (which will be removed in a future version of Microsoft SQL Server) could be ALTER LOGIN:
ALTER LOGIN [my_user_name] WITH DEFAULT_DATABASE = [new_default_database]
Note: user and database names are provided without quotes (unlike the sp_defaultdb solution). Brackets are needed if name had special chars (most common example will be domain user which is domain\username and won't work without brackets):
ALTER LOGIN me WITH DEFAULT_DATABASE = my_database
but
ALTER LOGIN [EVILCORP\j.smith28] WITH DEFAULT_DATABASE = [prod\v-45]
To do it the GUI way, you need to go edit your login. One of its properties is the default database used for that login. You can find the list of logins under the Logins node under the Security node. Then select your login and right-click and pick Properties. Change the default database and your life will be better!
Note that someone with sysadmin privs needs to be able to login to do this or to run the query from the previous post.
Thanks to this post, I found an easier answer:
Open Sql Server Management Studio
Go to object Explorer -> Security -> Logins
Right click on the login and select properties
And in the properties window change the default database and click OK.
If you don't have permissions to change your default DB you could manually select a different DB at the top of your queries...
USE [SomeOtherDb]
SELECT 'I am now using a different DB'
Will work as long as you have permission to the other DB
Click on Change Connection icon
Click Options<<
Select the db from Connect to database drop down
Click on options on the connect to Server dialog and on the Connection Properties, you can choose the database to connect to on startup. Its better to leave it default which will make master as default. Otherwise you might inadvertently run sql on a wrong database after connecting to a database.
I'll also prefer ALTER LOGIN Command as in accepted answer and described here
But for GUI lover
Go to [SERVER INSTANCE] --> Security --> Logins --> [YOUR LOGIN]
Right Click on [YOUR LOGIN]
Update the Default Database Option at the bottom of the page
Tired of reading!!! just look at following
In case you can't login to SQL Server:
sqlcmd –E -S InstanceName –d master
Reference:
https://support.microsoft.com/en-us/kb/307864
This may or may not exactly answer the question, but I ran into this issue (and question) when I had changed my account to have a new database I had created as my "default database". Then I deleted that database and wanted to test my creation script, from scratch. I logged off SSMS and was going to go back in, but was denied -- cannot log into default database was the error. D'oh!
What I did was, on the login dialog for SSMS, go to Options, Connection Properties, then type master on the "Connect to database" combobox. Click Connect. Got me in. From there you can run the command to:
ALTER LOGIN [DOMAIN\useracct] WITH DEFAULT_DATABASE=[master]
GO
There is a little icon for change the connection, click on that and then go to Options and Select the db from Connect to database drop down
With the MSSQL queries below, you can change database on sqlcmd:
USE testdb
GO
Then, you can check the currently used database:
SELECT DB_NAME()
GO
testdb
Then, you can show all the existed databases:
SELECT name FROM master.sys.databases
GO
master
tempdb
model
msdb
testdb
In addition, if you don't specify a database on sqlcmd, "master" database is used by default.
If you use windows authentication, and you don't know a password to login as a user via username and password, you can do this: on the login-screen on SSMS click options at the bottom right, then go to the connection properties tab. Then you can type in manually the name of another database you have access to, over where it says , which will let you connect. Then follow the other advice for changing your default database
https://gyazo.com/c3d04c600311c08cb685bb668b569a67
I have a database with user 'dbo' that has a login name "domain\xzy". How do I change it from "domain\xzy" to "domain\abc".
I figured it out. Within SQL Management Studio you have to right-click on the database -> Properties -> Files -> Owner field. Change this field to the login name/account that you want associated with the "dbo" username for that database. Please keep in mind that the login name/account you choose must already be setup in the sql server under Security -> Logins
If you are trying to remap a login to a db user you can use sp_change_user_login
exec sp_change_user_login 'Update_One', 'user', 'login'
PhantomTypist gives a good answer using the GUI. For achieving the same result with TSQL, you can use this code:
USE [My_Database_Name]
GO
EXEC dbo.sp_changedbowner #loginame = N'domain\abc', #map = false
GO
This is a Windows login, not a SQL Server login, so you cannot 'change' the login name since it is linked to the user account in Active Directory.
Create a new Server Login (Windows) mapped to the new windows user (and remove the old one if necessary). Then in login's Security > User Mapping, permission that login to the appropriate database as user 'dbo' (or assign to the db_owner role)