Hi Brian,

as a follow-up regarding our tweets and to share this information to other users as well (maybe they´re having an idea):

If we have a user who has only the right GRANT ALTER ANY LOGIN, then this user

is able to create a new login but cannot assign this new user to the sysadmin server role.

However, a user with GRANT ALTER ANY LOGIN can drop a user, which is member of the sysadmin server role, although just removing the user from that role doesn´t work.

In my case this is still too much power.

For example: I try to give a user the permission to check if the server-side accounts are properly mapped to database users and in case there´s a missing mapping to a database user, allow him to map the login.

Regards

Dirk