I have many users in one database. All these users are named using "domain\" as a prefix. I would like to rename these user names by dropping this domain name from the user name. How to do that? In SQL Server Management Studio GUI user name is grayed and cannot be changed?
You do not. The DOMAIN\user user is a user that has no password and is tied to a DOMAIN ACCOUNT. If you drop the DOMAIN\ refix, you ahve to assign it a password, basically moving authentication into the database.
User names can not be chanegd in SQL - you have to drop and recreate the login, then recreate the users in the databases.
Related
I have a SQL Server 2017 database instance that was created before I was given administration of the database and I have a Login at DB server level named "atSupervisor" which is a user in database "StaffMonitoring". I wish to clone the login and user "atSupervisor" as login and user "bcSupervisor" in database "StaffMonitoring" to have all permissions, table access, grants etc.
I have tried a few suggestions on google such as this example - https://www.mssqltips.com/sqlservertip/3589/how-to-clone-a-sql-server-login-part-1-of-3/
This seems to creates the login and user and I can then assign the database "StaffMonitoring" in User Mapping in the login's properties and login with the user. However, none of the tables are present.
Is there a way to do this please that clones everything to include grant access to tables that mirrors the original login\user?
The existing Windows Server 2008 R2 with SQL Server 2008 was moved to another domain. The existing dbo owner belongs to the old domain.
I need to change the dbo ownership to a new login user, not to a 'sa'. I have seen some sample codes but I am not sure the correct syntax for the new user name.
I have already tried changing the ownership using within SQL Server Management Studio, properties of the database and changing the value from the files but it did work.
For instance, I see someone suggesting:
-- in master db
CREATE LOGIN [login1] WITH PASSWORD = '{Some Password}'
CREATE USER **[login1]** FOR LOGIN **[login1]**
-- in user db
CREATE USER **[login1]** FOR LOGIN **[login1]**
ALTER ROLE [db_owner] ADD MEMBER **[login1]**
the question I have is the [login1] format.
Usually, the login is: domain\username
How do I replace the [login1] with the actual login name? What is the correct format?
Besides changing the dbo ownership, I would like to know if there is anything else that needs to be done, as standard procedures, when the server where the SQL database is installed, has changed to a different domain.
Thank you
The T-SQL statement ALTER AUTHORIZATION ON DATABASE::YourDatabase TO Login1; will change the database owner per the documentation.
The login or database name need only be enclosed when it doesn't conform to regular identifier naming rules (like Windows logins with the backslash). So for a domain user, they syntax with square brackets is:
ALTER AUTHORIZATION ON DATABASE::YourDatabase TO [YourDomain\Login1];
or alternatively double quotes:
ALTER AUTHORIZATION ON DATABASE::YourDatabase TO "YourDomain\Login1";
I suggest you avoid using a domain user as the database owner going forward. This way, you won't have the problem when the computer domain changes or if the owning domain account becomes invalid for some reason, such as the individual leaves the organization.
How can I give a user (who was created WITHOUT LOGIN) full control over a contained database without having to specify that database's name, like GRANT CONTROL ON DATABASE::DatabaseName TO UserName, but without using a database name? I figure it'll include GRANT ALTER ANY SCHEMA TO UserName, but I'm not sure what else I'd need to grant, or if there's a better way. Thanks.
If you literally want them to be able to do anything in that database, you can just add them to the db_owner role:
USE ContainedDatabase;
GO
ALTER ROLE db_owner ADD MEMBER [username];
If you want to be more granular, you can add them to lesser roles, like db_ddladmin, db_securityadmin, etc. You can see the list of built-in roles here:
Database-Level Roles
The permissions inherent in each of those roles:
Permissions of Fixed Database Roles
And if those don't suit, you can create your own roles, add your user to that role, and grant specific permissions to that role you created (and/or add them to other roles). The difference between applying the permissions to the role instead of directly to the user is simply reuse - if you add five more users that you want to apply the same permissions, you just add them to the custom role, rather than apply those granular permissions or roles to all 5 of the users.
Open SQL Server Management Studio and connect to your server.
In the Object Explorer, expand the "Security" folder under the server.
Right click on the "Logins" folder and choose "New Login..."
Add the users name in the format "Domain\UserName". You can also add domain groups by just changing it to "Domain\GroupName".
5.If you would like this user to have full access to the SQL Server instance, you can choose the "Server Roles" tab. Adding the role "sysadmin" will give them full access to the server to do actions like update the database, backup the database, delete the database.
Click ok and your user will be created and have access to your database.
Choose the "User Mapping" tab. In the top half of this screen, check the box next to the database name. Once you highlight the database and check the box to map the user to it, you can add role memberships to the user. For access to the database.
Click ok and your user will be created and have access to your database.
Example:
Lets say I have a group named group_01, the group is mapped to a SQL Server an given some rights on some stuff.
When I rename the group in Active Directory to any value, lets say group_01_OLD.
The group name wont change in SQL Server, it's still group_01
Is this normal behavior? Can I force SQL to rename the group when renamed in AD?
An full answer is buried in the comments here: https://dba.stackexchange.com/questions/13766/user-windows-login-name-has-been-changed-in-ad-yet-session-in-sql-2008-profiler
Basically, a reboot of the whole server should pick up the change (assuming replication to all the DCs has already happened).
If you can't do that, you could try manually updating the name of the login:
ALTER LOGIN [domain\group_01] WITH NAME = [domain\group_01_OLD];
To complement Gabriel’s answer. Given your scenario (you have granted permissions to the group group_01 ), you must change the name in SQL using the ALTER LOGIN command
ALTER LOGIN [domain\group_01] WITH NAME = [domain\group_01_OLD];
The reason for this is that SQL Server looks for a matching login catalog views (i.e. sys.server_principals) within SQL itself before asking AD.
NOTE: When you rename a Windows login, SQL Server will verify that the new name matches the SID to verify that the login renaming is valid.
-Raul Garcia
A reboot do not fix anything as far as I've experienced. SID is of course the same but besides the change of login with...
ALTER LOGIN [domain\previousgroupname] WITH NAME = [domain\newgroupname];
...you also need to change Security\Users for each database the login has a role in, if you want the change reflected everywhere and not having mismatches between logins and users. Can be done using Management studio, editing the group at Security\Logins and Mapping. Untick database, tick and choose role again. Or using ALTER USER but that's just a lot more typing.
USE [db]
ALTER USER [domain\previousgroupname] WITH NAME=[domain\newgroupname];
I have created a test user that has sysadmin right in SQL Server 2005 (sysadmin, because i want to profile with this user name also).But i want to restrict that test users access rights to production database.
It is under "logins" and also db name selected under the "User Mapping" tab of its properties with "db_denydatareader" default schema. But it is still can run select statements.
Sorry but once you give SysAdmin access, you've given away the farm. You'll have to create a different role for the test user and then grant access only to the databases you want.