Solved

SQL Dropping users

Posted on 2013-12-14
9
172 Views
Last Modified: 2013-12-16
I have just been handed a SQL instance with several databases and I need to remove all but  few users from both SQL and from the databases. Instead of manually deleting hundreds of users, would it be possible to construct a script to first remove them from the databases and then to remove them from SQL. Let's use DB1 and DB2 as the databases and let's say the only users I want to remain are Bob and Carol and Ted and Alice. What would the scripts looks like to remove everyone else?
0
Comment
Question by:rwheeler23
  • 3
  • 3
  • 3
9 Comments
 
LVL 38

Accepted Solution

by:
Jim P. earned 500 total points
ID: 39719209
You don't state version but assuming SQL 2005 or above.

You can probably build something to do it automatically but the quick and dirty is to do a SQL Query to text output (<ctrl>+T) then copy results to a new window and run the drop.

So the query would be:
SET NoCount On;
SELECT 'DROP USER ' + [Name] + ';' as [-- Drop users]
FROM sys.users
WHERE [Name] Not In ('sa','dbo','Bob','Carol','Ted','Alice')
use master
go
SELECT 'DROP LOGIN ' + [Name] + ';' as [-- Drop Logins]
FROM sys.logins
WHERE [Name] Not In ('sa','dbo','Bob','Carol','Ted','Alice')

Open in new window


Now my suggestion before dropping the logins is to get the sp_help_revlogin script and save a copy of the existing logins to a file. Hopefully nothing was built on them, but it keeps the SID and encrypted password if you have to recreate it.
0
 

Author Comment

by:rwheeler23
ID: 39719219
Good point. In this I have one company splitting away from another and only a few people are in this company so those old user accounts would be of no concern.

Thanks.

P.S. This was SQL Server 2012

So the drop user drops them from the company databases and the drop login drops them from SQL?
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39719226
So the drop user drops them from the company databases and the drop login drops them from SQL?

Correct.

The reason that I mention saving the logins is that I have run into multiple professionally developed apps that use SQL authentication. The installer will create the SQL login with a specific userid that looks like Tom but actually has much more responsibility. So if you can just re-add the login you are much better off.
0
 

Author Closing Comment

by:rwheeler23
ID: 39719269
Thanks for the expert tips!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 69

Expert Comment

by:ScottPletcher
ID: 39719305
What are "sys.users" and "sys.logins"?

At any rate:

Be very careful before running the results of that script. (Once you make any adjustments to make it run.)

[I was working on a script but won't bother with it now.]
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39719370
Those are leftover views from pre-2k5 that are the current sys.syslogins and sysusers tables.
0
 
LVL 69

Expert Comment

by:ScottPletcher
ID: 39721568
Nothing pre-2k5 was "sys.".  Did you mean "sysusers" and "syslogins"?  If so, obviously those views should no longer be used.
0
 

Author Comment

by:rwheeler23
ID: 39722589
Scott, if you would like me to open a new incident I would be more than happy to do so. You could place your scripts in their and I could add them to my aresenal for future use. I see more databases coming my way so it would be of great assistance.
0
 
LVL 69

Expert Comment

by:ScottPletcher
ID: 39722740
I'm not trying to insist on that.

I just think that script is too slap-dash to be used in any real SQL environment.  For example:

The ids to be kept/removed need to be specified at the login level, not the user level, because the user name does not have to match the login name.  [Most people use the same name for both, but that is NOT required by SQL.]

If the corresponding user owns schemas/objects, what should be done?  The DROP USER will fail.

My personal preference would be to allow specific db(s) to be ignored/excluded from the DROPs.  Perhaps a single/few db(s) will allow legacy access for old logins for some period of time. [Obviously that is not critical, just, as noted, my personal preference.]
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Having an SQL database can be a big investment for a small company. Hardware, setup and of course, the price of software all add up to a big bill that some companies may not be able to absorb.  Luckily, there is a free version SQL Express, but does …
Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now