Sql-server – Need to list SQL Windows auth users on each SQL server and rename the domain name

loginssql server

We are doing an AD Domain NetBIOS rename. We have about 20 SQL servers, and on each we have a series of logins like OLD.DOM\sqluser1 etc. I want to do two things, and a third would be a bonus. I'm not sure how to put these together:

SELECT * FROM Sys.login_token

I think this will list the users I mentioned above? I'd like to put that into a variable and then run this I think:

ALTER LOGIN "OLD.DOM\variable_holding_username"
WITH NAME="NEWDOM\variable_holding_username"

So if I can go on a server, list out all of those OLD.DOM\ logins and ALTER each of them, I'd be happy.

I'd be extra happy if I could hit each SQL server remotely and run through this, instead of doing each one separately.

Best Answer

Unless you are actually deleting the user accounts in Active Directory and re-creating them, you don't actually need to do anything to the logins on SQL Server.

SQL Server references the accounts using the Active Directory SID, not the name.

You can test this by renaming an account in Active Directory and attempting to login to SQL Server with it.

Assuming you are using at least a semi-modern version¹ of SQL Server, you can use ALTER LOGIN [DOMAIN\xyz] WITH NAME = [NEWDOMAIN\xyz]; syntax to modify the name of a Windows Active Directory login in SQL Server. You can use the system DMV, sys.server_principals to determine which logins should be modified. For example:

DECLARE @OldDomain SYSNAME;
DECLARE @NewDomain SYSNAME;
DECLARE @cmd NVARCHAR(MAX);

SET @OldDomain = 'MyOldDomain';
SET @NewDomain = 'NewDomainName';

DECLARE cur CURSOR LOCAL FORWARD_ONLY
FOR
SELECT 'ALTER LOGIN ' + QUOTENAME(sp.name) + 
    ' WITH NAME = ' + QUOTENAME(@NewDomain + 
    RIGHT(sp.name, CHARINDEX('\', REVERSE(sp.name)))) + ';'
FROM master.sys.server_principals sp
WHERE sp.type_desc LIKE 'WINDOWS_%'
    AND sp.name LIKE @OldDomain + '\%';

OPEN cur;

FETCH NEXT FROM cur 
INTO @cmd;

WHILE @@FETCH_STATUS = 0
BEGIN
    PRINT (@cmd);

    FETCH NEXT FROM cur 
    INTO @cmd;
END

CLOSE cur;
DEALLOCATE cur;

The above code will print a list of commands that could be executed to modify the logins for Windows User Accounts and Windows Groups.

You can run the above code against multiple servers by creating a group of servers in the Server Registration Window in SSMS, the right-clicking it and selecting "New Query", as shown here:

This allows you to run any query against multiple servers simultaneously, and see the results in one window. The results have a "Server Name" column added automatically so you determine where each row came from.

^{1 - SQL Server 2008+}

Related Solutions

Sql-server – Running an SSIS package owned by a domain user from SQL Server running on a local service account

My personal opinion is that option #1 is the way to go. But I see no need for you to have to grant the domain account local administrator access. It seems to me that it requires access to certain folders and files and so you could grant the domain user access to only the resources that it needs to run the package successfully. This can be done through the file/folder properties dialog box and select the security tab - there should be no need to set it for every file and folder as you could set the permissions of the parent directory and set them to override child properties.

I hope this helps you.

SQL Server Output Issues – Why Am I Missing Some Output?

You cannot loop through objects in the way you have coded. Here's the working code:

Add-Type -AssemblyName "Microsoft.SqlServer.Smo, Version=10.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91";

$ServerName = 'xyzabc123'
$DatabaseName = 'test1'
$TableName = 'main'
$TableSchemaName = 'dbo'

$Server = New-Object Microsoft.SqlServer.Management.Smo.Server $ServerName
$Server.ConnectionContext.SqlExecutionModes = [Microsoft.SqlServer.Management.Common.SqlExecutionModes]::CaptureSql

$Database = $Server.Databases[$DatabaseName]

$Table = $Database.Tables[$TableName, $TableSchemaName]

$TablesToArchive = @($Table)
$Database.Tables | Select -ExpandProperty ForeignKeys | % {
    if($_.ReferencedTable -eq $TableName -and $_.ReferencedTableSchema -eq $TableSchemaName)
        { $TablesToArchive += $_.Parent }
}
# $TablesToArchive | % { $_.Name }

$ObjectsToArchive = ($TablesToArchive | Select -ExpandProperty Indexes) + ($TablesToArchive | Select -ExpandProperty ForeignKeys)
# $ObjectsToArchive | % { $_.Name }

$ObjectsToArchive | % {
    $_.Rename($_.Name + '_archive')
}
$RenameCommands = $Server.ConnectionContext.CapturedSql.Text
# $RenameCommands

For example, you were expecting

$Database.Tables.ForeignKeys

To give you a combined ForeignKeys collection made up of ForeignKeys of each Tables object. If you added the debug commands

# $ObjectsToArchive | % { $_.Name }

You would have been able to track it down very quickly.

Best Answer

Related Solutions

Sql-server – Running an SSIS package owned by a domain user from SQL Server running on a local service account

SQL Server Output Issues – Why Am I Missing Some Output?

Related Question