?
Solved

SQL Dropping users

Posted on 2013-12-14
9
Medium Priority
?
181 Views
Last Modified: 2013-12-16
I have just been handed a SQL instance with several databases and I need to remove all but  few users from both SQL and from the databases. Instead of manually deleting hundreds of users, would it be possible to construct a script to first remove them from the databases and then to remove them from SQL. Let's use DB1 and DB2 as the databases and let's say the only users I want to remain are Bob and Carol and Ted and Alice. What would the scripts looks like to remove everyone else?
0
Comment
Question by:rwheeler23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 38

Accepted Solution

by:
Jim P. earned 2000 total points
ID: 39719209
You don't state version but assuming SQL 2005 or above.

You can probably build something to do it automatically but the quick and dirty is to do a SQL Query to text output (<ctrl>+T) then copy results to a new window and run the drop.

So the query would be:
SET NoCount On;
SELECT 'DROP USER ' + [Name] + ';' as [-- Drop users]
FROM sys.users
WHERE [Name] Not In ('sa','dbo','Bob','Carol','Ted','Alice')
use master
go
SELECT 'DROP LOGIN ' + [Name] + ';' as [-- Drop Logins]
FROM sys.logins
WHERE [Name] Not In ('sa','dbo','Bob','Carol','Ted','Alice')

Open in new window


Now my suggestion before dropping the logins is to get the sp_help_revlogin script and save a copy of the existing logins to a file. Hopefully nothing was built on them, but it keeps the SID and encrypted password if you have to recreate it.
0
 

Author Comment

by:rwheeler23
ID: 39719219
Good point. In this I have one company splitting away from another and only a few people are in this company so those old user accounts would be of no concern.

Thanks.

P.S. This was SQL Server 2012

So the drop user drops them from the company databases and the drop login drops them from SQL?
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39719226
So the drop user drops them from the company databases and the drop login drops them from SQL?

Correct.

The reason that I mention saving the logins is that I have run into multiple professionally developed apps that use SQL authentication. The installer will create the SQL login with a specific userid that looks like Tom but actually has much more responsibility. So if you can just re-add the login you are much better off.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Closing Comment

by:rwheeler23
ID: 39719269
Thanks for the expert tips!
0
 
LVL 69

Expert Comment

by:Scott Pletcher
ID: 39719305
What are "sys.users" and "sys.logins"?

At any rate:

Be very careful before running the results of that script. (Once you make any adjustments to make it run.)

[I was working on a script but won't bother with it now.]
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39719370
Those are leftover views from pre-2k5 that are the current sys.syslogins and sysusers tables.
0
 
LVL 69

Expert Comment

by:Scott Pletcher
ID: 39721568
Nothing pre-2k5 was "sys.".  Did you mean "sysusers" and "syslogins"?  If so, obviously those views should no longer be used.
0
 

Author Comment

by:rwheeler23
ID: 39722589
Scott, if you would like me to open a new incident I would be more than happy to do so. You could place your scripts in their and I could add them to my aresenal for future use. I see more databases coming my way so it would be of great assistance.
0
 
LVL 69

Expert Comment

by:Scott Pletcher
ID: 39722740
I'm not trying to insist on that.

I just think that script is too slap-dash to be used in any real SQL environment.  For example:

The ids to be kept/removed need to be specified at the login level, not the user level, because the user name does not have to match the login name.  [Most people use the same name for both, but that is NOT required by SQL.]

If the corresponding user owns schemas/objects, what should be done?  The DROP USER will fail.

My personal preference would be to allow specific db(s) to be ignored/excluded from the DROPs.  Perhaps a single/few db(s) will allow legacy access for old logins for some period of time. [Obviously that is not critical, just, as noted, my personal preference.]
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question