I created two SQL Server Logins which correspond to two windows groups:
MachineName\MyAppAmdin
MachineName\MyAppUser
Then in the database, I created two users with the same name and mapped them to the logins.
In the windows server, I added my domain account MyDomain\MyAccount
to the MachineName\MyAppAmdin
group.
Now I can pass windows authentication via MyDomain\MyAccount
.
The thing is, I would like to know exactly which windows group login I'm using, but I'm not able to find out how.
I tried:
ORIGINAL_LOGIN()
SYSTEM_USER
SUSER_SNAME
SELECT * FROM dm_exec_sessions
All the above return MyDomain\MyAccount
, but what I need to know is if I was logging in via the group membership in MachineName\MyAppAmdin
.
To sum up, my question is:
Is there a way to tell exactly which Windows Group Login (or user) the current connection is using?
Or is there any way I can check if MyDomain\MyAccount
is associated with a particular user or login?
I know I can use C# or command to resolve if a domain account belongs to specific windows group, but we have some new IT policies, so I'm thinking of a way to achieve a similar result by using TSQL.
Best Answer
Windows Authentication
istoken-based
authentication, you can read abouttokens
here Access token and here Token Based AuthenticationSo when you use
Windows Authentication
to logon, you present to server yourWindows token
.You can see all the server principals that are part of your
login token
using this code:If you want to explore
login token
of another login, you should first impersonate it:Of course you should have
IMPERSONATE
permission onsome_login
to be able toimpersonate
it.So your permissions on server are defined based on the "sum" of the permissions of all the principals that make part of your token.
DENY
as always has precedence onGRANT
so if you are a member of twoWin groups
one of wich hasgrant
and otherdeny
on some object, you'll be denied to access it.