January 28, 2016 at 10:12 am
Hi,
I just wonder how the SQL experts do when a member leave the organization.
Do you drop the login or disable the login?
January 28, 2016 at 10:32 am
in my case, I remove the users and logins from SQL Servers, but they stay forever in Active Directory.
I've got a nifty powershell i wrote that imports Active directory data into a SQL table.
that has whether the user is enabled or disabled rendered right in the table.
occasionally i'll run the logic below, but only on demand:
I have another script, that assumes linked servers to the server with that AD table exists, so i can use it in a Central Management Server session:
that script uses a simple cursor to loop through any databases with an if exists/drop user, and ends with an if exists/ drop login for any AD ser that is disabled, and the last login is older than 30 days.
Lowell
January 28, 2016 at 7:15 pm
Lowell (1/28/2016)
I've got a nifty powershell i wrote that imports Active directory data into a SQL table.that has whether the user is enabled or disabled rendered right in the table.
That would be a great thing to write an article on. You should go for it.
In the meantime, I'd love to have a copy of the code. Any chance of you attaching it to this thread?
--Jeff Moden
Change is inevitable... Change for the better is not.
January 29, 2016 at 10:45 am
Just run
exec sp_validatelogins
This will identify any AD users or groups which have been removed from AD but not from the SQL Server instance
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
January 29, 2016 at 7:43 pm
Jeff Moden (1/28/2016)
Lowell (1/28/2016)
I've got a nifty powershell i wrote that imports Active directory data into a SQL table.that has whether the user is enabled or disabled rendered right in the table.
That would be a great thing to write an article on. You should go for it.
In the meantime, I'd love to have a copy of the code. Any chance of you attaching it to this thread?
That would be handy to have. We're in the process of integrating data from two domains and dealing with so many different employee IDs has become rather cumbersome because one system has multiple IDs per employee. Having a table that could match the logins would make life easier. Lowell, if you have the inclination to write such an article, add me to the list of "encouragers".
Edit: Oh yeah, the subject of the OP. I drop the SQL Server logins and all associated database users. The AD accounts are disabled for a set period of time and then deleted later.
January 31, 2016 at 4:46 am
I'm on the SQL cruise with limited internet, but i'll put together an article;
I tend to shy away from articles, hate getting criticism.
At my job, we just joined two AD forests, and permissions wise, i still can only query my own domain, I have not be able to Get-ADMember the other domain persons or groups yet. i'd like to see that work as well.
i've got a pretty complete solution, actually, all groups, all group members and of course all users/object/computers, all in a suite of SQL tables.
Lowell
February 4, 2016 at 12:20 pm
Perry Whittle (1/29/2016)
Just run
exec sp_validateloginsThis will identify any AD users or groups which have been removed from AD but not from the SQL Server instance
Man. Thanks for posting this. I never knew about this command. Every so often I go through a list of users and find one or two that we missed getting rid of. This makes this process SO much simpler. 😀 🙂
February 4, 2016 at 12:47 pm
Thank you all.
I disabled the login but the login has mapped to database as DB Owner still when I look for DB owner the user is still coming.
Do I need to disable at db level first?
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply