October 9, 2019 at 9:24 pm
Is there a way to find any process or someone who could have removed a Domain login against sql server? Otherwise using server level trigger would be a best option to audit in the future to an event like this? Please advise?
Thanks in advance!
October 9, 2019 at 11:21 pm
It would be in the default trace, depending on how far back you have trace files. Otherwise, yes you would want to use a DDL trigger at the server level to audit dropping the logins.
October 10, 2019 at 1:54 pm
You could also look at setting up a SQL Server Audit (https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-2017) and monitor the DATABASE_PRINCIPAL_CHANGE_GROUP and SERVER_PRINCIPAL_CHANGE_GROUP objects.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply