SQL 2005 ALTER ANY LOGIN trouble
- From: "Ol Boldyrev" <olboldie@xxxxxxxxx>
- Date: Thu, 11 Jan 2007 19:52:59 +0300
Hi all!
I want a user to be able to create windows logins, and only this, observing
least privileges.
As the SQL Server 2005 Books online teach, what is needed is grant the user
a server-wide permission ALTER ANY LOGIN.
That's what I'm doing:
1.
grant alter ANY login to [Domain\User]
which executes successfully. Then strange things begin to happen, .
2. First, I try to check whether the permission is really given:
.. execute as user = N'Domain\User'
SELECT Has_perms_by_name(null, null, N'ALTER ANY LOGIN');
returns 0.
3. I open the Management Studio\Server properties\Permissions for the login
in interest, the corresponding permissions are cheked! (BTW for myself it
returns 1, as I'm a sysadmin.)
4. Next I'm running
execute as user = N'Domain\User'
CREATE LOGIN [Domain\AnotherUser] FROM WINDOWS WITH
DEFAULT_DATABASE=[DB], DEFAULT_LANGUAGE=[us_english],
and getting
Msg 15247, Level 16, State 1, Line 12
User does not have permission to perform this action.
5. Then the User self runs this and it fails again.
6. Granting the User a CONTROL SERVER permission or including him in the
local Administrators group on the server (as myself) solves the problem. But
isn't it elevation of privileges? What for did we fight?
I feel I'm missing something. Who can shed the light?
Thanks
Oleg
.
- Follow-Ups:
- Re: SQL 2005 ALTER ANY LOGIN trouble
- From: Erland Sommarskog
- Re: SQL 2005 ALTER ANY LOGIN trouble
- Prev by Date: Re: Auditing and IP addresses
- Next by Date: Re: Auditing and IP addresses
- Previous by thread: Auditing and IP addresses
- Next by thread: Re: SQL 2005 ALTER ANY LOGIN trouble
- Index(es):
Relevant Pages
|
