SQL Server db user mapped to windows login not in SQL Server logins

Posted on

Question :

I am on a SQL Server 2008 where I login with DOMAINUSER_A

On my database I can see this login is mapped to the user dbo of that database.
What I don’t understand is that DOMAINUSER_A is nowhere to be found in the SQL Servers Security Logins.

CURRENT_USER reports dbo

I can’t find DOMAINUSER_A in the sys.syslogins? What is going on? Can a database user have its own login circumventing the SQL Server?

Answer :

The only way a login has rights to a server is if those rights have been granted. The question is likely: How did these rights get granted?

If DOMAINUSER_A is a member of some Windows group, then through the rights granted to the group the DOMAINUSER_A login exists in the server. This is true even if there is no individual entry in sys.database_principals or sys.server_principals for that login.

You can look for the permission paths used by a login as follows:

EXEC xp_logininfo 'DOMAINUSER_A', 'all'

You might find several permission paths for a login.

Please stop looking at syslogins. This is a deprecated system table that is now a backward compatibility view and is only there for that purpose (to prevent breaking old code).

The user is dbo probably because they created the database.

You should be able to find the login the user is associated with using:

SELECT login_name = sp.name, user_name = dp.name
  FROM that_database.sys.database_principals AS dp
  INNER JOIN sys.server_principals AS sp
  ON dp.[sid] = sp.[sid];

Now, it may be that the user doesn’t have its own login, and has been granted access to the instance via a Windows group.

Leave a Reply

Your email address will not be published. Required fields are marked *