Here’s a great way to think about it, quoted from around the web:
Sharing only opens the door, security lets you in the door.
Standard practice is to allow everyone on sharing, and restrict access with security permissions. This keeps management simple as the most restrictive permissions apply between the two.
Is it a bad idea to allow developers to exec sp_who and see dynamic views on a dev server. They can check performance and further their current projects.
GRANT VIEW SERVER STATE TO [Developers]
After getting the following error:
The error information returned by PowerShell is: ‘Access is denied.
This allows me to run the following as the user.
Get-WmiObject Win32_logicaldisk -ComputerName MYSRVNAM |? {$_.DeviceID -eq "E:" -or $_.DeviceID -eq "F:" -or $_.DeviceID -eq "G:" -or $_.DeviceID -eq "H:" } `
| Format-Table SystemName, DeviceID, MediaType, `
@{Name="Size(GB)";Expression={[decimal]("{0:N0}" -f($_.size/1gb))}}, `
@{Name="Free Space(GB)";Expression={[decimal]("{0:N0}" -f($_.freespace/1gb))}}, `
@{Name="Free (%)";Expression={"{0,6:P0}" -f(($_.freespace/1gb) / ($_.size/1gb))}} `
-AutoSize | Out-String
Thanks to the original source!
I just wanted a wrapper for Get-ADGroup and Get-ADGroupMember to return all members of a group.
function Get-ADGroupMembers {
<#
.SYNOPSIS
For any Get-ADGroup Get-ADGroupMember's Get-ADUser properties and output our PSObject
.DESCRIPTION
For any AD group return a list of members including members of subgroups.
.PARAMETER Group
The AD Group name to find members for (without the DOMAIN).
.EXAMPLE
Get-ADGroupMembers -Group "SQL DBA"
.EXAMPLE
$Group = "SQL DBA"
$Output = Get-ADGroupMembers -Group $Group
$Output |Sort-Object LastName |Select-Object ObjectClass, GroupName, LastName, GivenName, SamAccountName, Name |ft -AutoSize
Write-Host ("{0} Members found in AD group: {1}" -f $Output.Count, $Group)
.INPUTS
System.String
.OUTPUTS
PSObject
.NOTES
20170113 Created
#>
[CmdletBinding()]
param(
[Parameter(Position=0, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[System.String]
$Group
)
try {
#
## Get all
#
$Groups = Get-ADGroup -Identity $Group
$output = ForEach ($g in $groups) {
$results = Get-ADGroupMember -Identity $g.name -Recursive | Get-ADUser -Properties displayname, objectclass, name
ForEach ($r in $results){
New-Object PSObject -Property @{
GroupName = $g.Name
Username = $r.Name
ObjectClass = $r.ObjectClass
Name = $r.Name
GivenName = $r.GivenName
LastName = $r.Surname
Enabled = $r.Enabled
SamAccountName = $r.SamAccountName
}
}
}
Write-Output $output
}
catch {
throw
}
}
I use this to retrieve all SQL sysadmins on a server, and drill down, if any are Active Directory groups, to the individuals.
$SQLInstance = "SQLDEV";
$DomainFilter = "MYCOMPANYDOMAIN"
$Server = new-object Microsoft.SqlServer.Management.Smo.Server $SQLInstance;
$SQLLogins = $Server.Logins;
$sysadmins = $null;
$sysadmins = foreach($sysadmin in $SQLLogins) {
foreach($role in $sysadmin.ListMembers()) {
if($role -match 'sysadmin') {
Write-Verbose "sysadmin found: $($sysadmin.Name)"
$sysadmin | Select-Object `
@{label = "SQLServer"; Expression = {$SQLInstance}}, `
@{label = "CurrentDate"; Expression = {(Get-Date).ToString("yyyy-MM-dd")}}, `
Name, LoginType, CreateDate, DateLastModified;
$sysadmin |?{$_.LoginType -eq 'WindowsGroup' -and $_.Name -match '$DomainFilter'} |%{
Get-ADGroupMembers -Group $_.Name.Replace("$DomainFilter\",'') |Sort-Object LastName | Select-Object `
@{label = "SQLServer"; Expression = {$SQLInstance}}, `
@{label = "CurrentDate"; Expression = {(Get-Date).ToString("yyyy-MM-dd")}}, `
Name,@{label = "LoginType"; Expression = {'GroupUser'}}
}
};
};
};
$sysadmins | ft -AutoSize
This is from an idea from here.
IF OBJECT_ID('tempdb.dbo.#t1') IS NOT NULL
DROP TABLE #t1
SELECT CAST('?' AS VARCHAR(128)) AS [Database Name],
[su1].[name] AS [Database User Name],
[su2].[name] AS [Database Role]
INTO [#t1]
FROM [sys].[database_role_members] [r]
INNER JOIN .[sysusers] [su1]
ON [su1].[uid] = [r].[member_principal_id]
INNER JOIN .[sysusers] [su2]
ON [su2].[uid] = [r].[role_principal_id]
WHERE [su2].[name] IN ('db_owner')
AND [su1].[name] NOT IN ('dbo')
AND 1 = 2
INSERT [#t1]
([Database Name],
[Database User Name],
[Database Role]
)
EXEC sp_MSForEachDB 'SELECT ''?'' AS [Database Name], su1.name AS [Database User Name], su2.name AS [Database Role]
FROM [?].sys.database_role_members r
INNER JOIN [?]..sysusers su1 ON su1.[uid] = r.member_principal_id
INNER JOIN [?]..sysusers su2 ON su2.[uid] = r.role_principal_id
WHERE su2.name IN(''db_owner'') AND su1.name NOT IN(''dbo'')'
DELETE
FROM [#t1]
WHERE [Database Name] IS NULL
SELECT [Database Name],
[Database User Name],
[Database Role]
FROM [#t1]
GO
Just remove the filter to see everyone.
;WITH [RoleMembers]([member_principal_id], [role_principal_id])
AS (
SELECT [rm1].[member_principal_id],
[rm1].[role_principal_id]
FROM [msdb].[sys].[database_role_members] [rm1] (NOLOCK)
UNION ALL
SELECT [d].[member_principal_id],
[rm].[role_principal_id]
FROM [msdb].[sys].[database_role_members] [rm] (NOLOCK)
INNER JOIN [RoleMembers] AS [d]
ON [rm].[member_principal_id] = [d].[role_principal_id]
)
SELECT DISTINCT
[rp].[name] AS [database_role],
[mp].[name] AS [database_user],
[mp].[type]
FROM [RoleMembers] [drm]
JOIN [msdb].[sys].[database_principals] [rp]
ON ([drm].[role_principal_id] = [rp].[principal_id])
JOIN [msdb].[sys].[database_principals] [mp]
ON ([drm].[member_principal_id] = [mp].[principal_id])
WHERE [rp].[name] LIKE 'SQLAgent%'
AND [mp].[name] NOT LIKE '##%'
ORDER BY [rp].[name]
This should produce output similar to this:
or
database_role database_user type SQLAgentOperatorRole PolicyAdministratorRole R SQLAgentReaderRole PolicyAdministratorRole R SQLAgentReaderRole SQLAgentOperatorRole R SQLAgentUserRole dc_admin R SQLAgentUserRole dc_operator R SQLAgentUserRole MS_DataCollectorInternalUser S SQLAgentUserRole PolicyAdministratorRole R SQLAgentUserRole SQLAgentOperatorRole R SQLAgentUserRole SQLAgentReaderRole R
One can be database owner, SHOWPLAN within the database, CONTROL Database, CONTROL Server, or ALTER TRACE at the server level.
See Rob Farley’s article for a script to run a test.
To view a query plan, you need SHOWPLAN permission on the database level at least. You have this if you have CONTROL DATABASE, or CONTROL SERVER, or if you have ALTER TRACE at the instance level. I know this last one because it’s mentioned in Books Online
We were trying to connect a remote SQL publisher to a local subscriber and on the subscriber get these errors, found in the SQL Errorlog.
Date 12/8/2016 6:52:42 AM Log SQL Server (Current - 12/7/2016 6:03:00 PM) Source Logon Message Error: 17806, Severity: 20, State: 14. ---- Date 12/8/2016 6:52:42 AM Log SQL Server (Current - 12/7/2016 6:03:00 PM) Source Logon Message SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: 172.31.5.158] ---- Date 12/8/2016 6:52:42 AM Log SQL Server (Current - 12/7/2016 6:03:00 PM) Source Logon Message Error: 18452, Severity: 14, State: 1. ---- Date 12/8/2016 6:52:42 AM Log SQL Server (Current - 12/7/2016 6:03:00 PM) Source Logon Message Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: xxx.xx.x.xxx] ----
However, the SQL login was coming from a domain that already HAD replication running on another database.
It turned out to be an incorrect login name, rather than an untrusted domain.
Never trust an error message.
Part of my series pointing to valuable instruction on the web.
Congratulations you’re now a DBA! What do you need to know about security for SQL Server? Read on and find out.
Source: m.sqlmag.com/database-security/what-every-accidental-dba-needs-know-now-basics-sql-security