Home Forums SQL Server 2008 Security (SS2K8) Monitoring Changes to Users in databases. RE: Monitoring Changes to Users in databases.

  • July 30, 2012 at 2:36 pm

    #1519422

    ok, you can get whodunnit info fromt eh default trace, i just tested this:

    so if not too much time has passed, you can find out who;

    declare @path varchar(255)

    SELECT @path = path from sys.traces WHERE id = 1--the Default Trace

    SELECT

    TE.name As EventClassDescrip,

    v.subclass_name As EventSubClassDescrip,

    T.*

    FROM ::fn_trace_gettable(@path, default) T

    INNER JOIN sys.trace_events TE ON T.EventClass = TE.trace_event_id

    INNER JOIN sys.trace_subclass_values V

    ON T.EventClass = V.trace_event_id AND T.EventSubClass = V.subclass_value

    WHERE EventClass = 109 --Audit Add DB User Event

    AND EventSubClass IN (3,4) --ADD USER, DROP USER implicitly does [Grant database access],[Revoke database access]

    i tested it by simply going to a test database and adding and droping a couple of users.

    CREATE USER [bob] WITHOUT LOGIN

    CREATE USER [jeff] WITHOUT LOGIN

    DROP USER [bob]

    DROP USER [jeff]

    then looking at the last entries in my default trace, i got the EventClass and SubClass to add filters for a WHERE statement.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!