The only way a login has rights to a server is if those rights have been granted. The question is likely: How did these rights get granted?
If DOMAIN\USER_A is a member of some Windows group, then through the rights granted to the group the DOMAIN\USER_A login exists in the server. This is true even if there is no individual entry in sys.database_principals or sys.server_principals for that login.
You can look for the permission paths used by a login as follows:
EXEC xp_logininfo 'DOMAIN\USER_A', 'all'
You might find several permission paths for a login.
My article will help if you set it up in advance, but not when the event happened in the past and you didn't have any kind of auditing mechanism set up.
There is still hope, though. Let's say I did this:
CREATE LOGIN flooberella WITH PASSWORD = N'x', CHECK_POLICY = OFF;
This information is in the default trace under EventClass 104 (Audit Addlogin Event). However, if I change the password using either of these methods:
ALTER LOGIN flooberella WITH PASSWORD = N'y';
EXEC sp_password N'y', N'z', N'flooberella';
These events are not captured by the default trace, for obvious security reasons - it should not be possible for anyone with access to the default trace to figure out what someone else's password is, nor do they want to make it easy to even find out that a password has been changed (polling the frequency of these events, for example, can reveal certain properties of your security strategy).
So what else can you do? While this relies on the information still being in the log, and it also relies on using an undocumented DBCC command against a system database (you may wish to back up master and restore it elsewhere), you can get some information from the transaction log, e.g.:
DBCC LOG(master, 1);
This will yield, for the above two commands, rows with the following (partial) information:
Current LSN Description
====================== ======================================================================
000000f2:000001b8:0002 ALTER LOGIN;0x01050000000000051500000093a3bcd7a9f8fb1417ab13bce8030000
000000f2:000001b8:0004 Alter login change password;0x01050000000000 ... same sid as above ...
Doesn't seem like much, but now take that 0x portion of the description, and then do:
SELECT name FROM sys.server_principals
WHERE sid = 0x01050000000000051500000093a3bcd7a9f8fb1417ab13bce8030000;
Smoking gun! This is the person responsible for that event.
Of course, if they use ALTER LOGIN
syntax for all operations (which they should be using instead of sp_password
), you can't distinguish between someone changing the default database and someone changing the password. You also can't tell (at least that I can see) which login this affected, only that this person changed a login. Jon seems to think that this information is in the log as well, but I failed to find it (unlike the time information, which somehow I scrolled right past).
There may be different answers for contained users in SQL Server 2012 - though I suspect password changes are still obfuscated in similar ways. Will leave that for a separate question.
Best Answer
You can use DMVs to see who's logged in at the time, but this won't get you any historic information.
I suppose you could use this code in a logon trigger and save the information to a table, but if you need a running log, you may want to look at Extended Events or running a trace (SQL Server Profiler).