Hello. We have a number of production DBs with database roles and Active Directory domain groups defined within these roles. Typical good practice I think.
Unfortunately we've had a lot of individual Windows users creep into our DBs and roles too. Some may be legitimate "one offs" but the rest I'd like to identify and purge as long as I can verify their access is already fulfilled from an existing domain group.
I'm looking at comparing results from xp_logininfo to those from sys.database_principles and is_member() but it's not clear what those results mean.
Has anyone done something like this? What was your strategy?