Professional Documents
Culture Documents
Check For Orphaned Users
Check For Orphaned Users
Check For Orphaned Users
Server)
07/14/2016
4 minutes to read
Contributors
o
o
In this article
1. Background
4. See Also
THIS TOPIC APPLIES TO: SQL Server Azure SQL Database Azure SQL
Orphaned users in SQL Server occur when a database user is based on a login in the
master database, but the login no longer exists in master. This can occur when the
login is deleted, or when the database is moved to another server where the login
does not exist. This topic describes how to find orphaned users, and remap them to
logins.
Note
Reduce the possibility of orphaned users by using contained database users for
databases that might be moved. For more information, see Contained Database
Background
(database user identity) based on a login, the principal must have a valid login in the
master database. This login is used in the authentication process that verifies the
instance of SQL Server. The SQL Server logins on a server instance are visible in the
SQL Server logins access individual databases as "database user" that is mapped to
the SQL Server login. There are three exceptions to this rule:
Contained database users authenticate at the user-database level and are not
associated with logins. This is recommended because the databases are more
portable and contained database users cannot become orphaned. However they
mapped to a database user to enter the database as the guest user. The guest
A SQL Server login created from a Windows user can enter a database if the
Windows user is a member of a Windows group that is also a user in the database.
Information about the mapping of a SQL Server login to a database user is stored
within the database. It includes the name of the database user and the SID of the
corresponding SQL Server login. The permissions of this database user are applied
A database user (based on a login) for which the corresponding SQL Server login is
Such a user is said to be an orphaned user of the database on that server instance.
Orphaning can happen if the database user is mapped to a login SID that is not
present in the master instance. A database user can become orphaned after a
database is restored or attached to a different instance of SQL Server where the login
was never created. A database user can also become orphaned if the corresponding
SQL Server login is dropped. Even if the login is recreated, it will have a different SID,
To detect orphaned users in SQL Server based on missing SQL Server authentication
FROM sys.database_principals AS dp
ON dp.SID = sp.SID
The output lists the SQL Server authentication users and corresponding security
identifiers (SID) in the current database that are not linked to any SQL Server login.
Warehouse. Identify orphaned users in those environments with the following steps:
1. Connect to the master database and select the SID's for the logins with the
following query:
Copy
SELECT sid
FROM sys.sql_logins
2. Connect to the user database and review the SID's of the users in the
Copy
3. Compare the two lists to determine if there are user SID's in the user database
In the master database, use the CREATE LOGIN statement with the SID option to
recreate a missing login, providing the SID of the database user obtained in the
previous section:
Copy
SID = <SID>;
To map an orphaned user to a login which already exists in master, execute the
ALTER USER statement in the user database, specifying the login name.
Copy
When you recreate a missing login, the user can access the database using the
password provided. Then the user can alter the password of the login account by
Important
Any login can change it's own password. Only logins with the ALTER ANY LOGIN
permission can change the password of another user's login. However, only members