Audit Security

  • Admingod

    SSCertifiable

    Points: 5606

    Is there a way to find any process or someone who could have removed a Domain login against sql server? Otherwise using server level trigger would be a best option to audit in the future to an event like this? Please advise?

    Thanks in advance!

  • Sue_H

    SSC Guru

    Points: 90260

    It would be in the default trace, depending on how far back you have trace files. Otherwise, yes you would want to use a DDL trigger at the server level to audit dropping the logins.

    Sue

  • jasona.work

    SSC-Forever

    Points: 49887

    You could also look at setting up a SQL Server Audit (https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-2017) and monitor the DATABASE_PRINCIPAL_CHANGE_GROUP and SERVER_PRINCIPAL_CHANGE_GROUP objects.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply