Related Question: SQL Server script to delete accounts no longer in Active Directory
Whilst the above question points out the rather handy sp_validatelogins
procedure, i'd like to extend this procedure to then drop the logins, search all databases & drop any related users.
Id also like to drop all SQL logins that have not been logged in for over X months – and again, drop any related users across all databases.
Before I go writing all this from scratch – I cant help but feel I'd be re-inventing the wheel – someone must surly have written a script to do this already but i'm not having much luck finding one!
If no one has a script up their sleeve to do all this, scripts to do parts of them would be just as good – I've no problem merging them into a single script.
Best Answer
I don't have a full script for the task. But maybe this script could be a start.
It returns a list of logins that don't have permissions granted. Using
sp_msforeachdb
it searches on all databases usingsys.database_principals
andsys.database_role_members
. You could insert the result in a temp table and then do whatever you need to do with that list.I'm sure I found this script some time ago somewhere and made some small modifications to fit my needs. But can't find where I found the original one. So sorry if no link provided to the author(s).
Sample result: