November 8, 2012 at 2:29 pm
Thsi is a duplicate post. As this i srelated to security I posted it here too. Sorry for the inconvinenece.
Hi All,
Recently some one deleted some rows from a table. I was asked to find out who did it. Since the log has not been backed up since the time the DB was created I took the help of undocumented Table valued function ::fn_dblog() which gives me the contents of the active portion of the log.
I filtered on AlocUnitName and operation column.
Allocunitname being the table name and OPERATION being the 'LOP_DELETE_ROWS'.
I was looking fior the column TRANSACTION SID to find out the SID of the user that started the transaction that deleted the rows. I did get it.
But the problem is the value of the SID is 0x01 which is the dbo user. It is evident that a server level login with sysadmin privilages did the delets. Is there any way I can find out the server login mapped to the dbo user?
Any idea would be appriciated.
November 8, 2012 at 2:53 pm
Nope.
The transaction log is not an audit log, it is not important for database recovery or transaction rollbacks what login did the operation, that information is not included in the log at all.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply