March 7, 2013 at 4:24 pm
Here's the situation.
I have some logs that seems to show someone executing a procedure I don't think they should have been able to execute. They shouldn't even be able to get to the database, much less execute this proc.
The permissions are handled through AD groups, and this person doesn't belong to any of the groups that can access the database, from what I can tell. But I wonder if there's some kind of nesting (groups belonging to another group) thing going on.
Anyway, my question, is given a person's domain login, can I find out what effective SQL permissions they have?
March 7, 2013 at 6:19 pm
If you run:
EXEC xp_logininfo 'DOMAIN\GROUP_NAME', 'ALL'
You will get all AD groups under which they have access to the server
March 7, 2013 at 6:39 pm
I had no idea that existed. That's exactly what I need.
It returns null for the permission path, so form what I gather, that means this person has no access through domain groups at all. They do have a server login, but it's mapped via user and not group, and to a different database.
Further, if I "execute as login = theirLogin", and then try to "use db" the db they shouldn't be in, it tells me they cannot access the db in this security context.
So I'm pretty convinced my logging tool has a bug and they didn't really execute that proc.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply