Home Forums Article Discussions Article Discussions by Author Discuss content posted by Eric Russell Query accounts, domain groups, and members who have admin membership. RE: Query accounts, domain groups, and members who have admin membership.

  • February 9, 2012 at 9:57 am

    #1445171

    Eric M Russell (2/9/2012)

    Nadrek (2/9/2012)

    Very useful, though for anyone doing a more comprehensive security audit, I'd refer to Vyaskin's code, which I modified only slightly:

    The script you posted is great for scripting out database level permissions that have been granted by the SYSADMIN to non-admin users, which would perhaps be a next step.

    However, the script is not querying what domain or service accounts are in a server level role (like SYSADMIN), and it's not resolving domain groups into individual member accounts.

    For example, who or what in the organization is a SYSADMIN on an instance of SQL Server? Simply querying the sys.database_permissions or sys.server_principals tables within SQL Server won't include that.

    Excellent points; I'll edit my post to make it clear that Vyaskin's script gives different, non-overlapping information.