Auditing individual user accounts

  • Hello. We have a number of production DBs with database roles and Active Directory domain groups defined within these roles. Typical good practice I think.

    Unfortunately we've had a lot of individual Windows users creep into our DBs and roles too. Some may be legitimate "one offs" but the rest I'd like to identify and purge as long as I can verify their access is already fulfilled from an existing domain group.

    I'm looking at comparing results from xp_logininfo to those from sys.database_principles and is_member() but it's not clear what those results mean.

    Has anyone done something like this? What was your strategy?

    Thanks,

    Ken

Viewing 0 posts

You must be logged in to reply to this topic. Login to reply