Orphaned Users Search and Destroy

  • Chris Harshman

    SSC-Forever

    Points: 42106

    This script will find users in a database that don't have an exact match for login based on SID, but I think it overstates the number of orphans because if a windows authenticated user has access to a database through an active directory group, then that group will have a different SID than the user.  If you drop that user then they loose any permissions that were applied to them directly instead of to the group.  It may be an edge case, but I know it exists where I work.

  • slesicki

    SSC Enthusiast

    Points: 196

    Chris great catch. Thank you. Yes I would use caution where the UserType is WINDOWS_LOGIN. I will publish a script soon to be used in conjunction with this one. It uses sys.xp_logininfo to "Select Group Members from Logins."

    • This reply was modified 3 months, 4 weeks ago by  slesicki.
  • slesicki

    SSC Enthusiast

    Points: 196

    Comments posted to this topic are about the item Orphaned Users Search and Destroy

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply