Re: GRANT CREATE DATABASE versus GRANT ALTER ANY LOGIN

---

• From: "Joe" <jwdaigle@xxxxxxxxxxxxx>
• Date: Fri, 13 Apr 2007 11:12:59 +0800

---

"Erland Sommarskog" <esquel@xxxxxxxxxxxxx> wrote in message
news:Xns9911AB07D649Yazorman@xxxxxxxxxxxx

Joe (jwdaigle@xxxxxxxxxxxxx) writes:

OK, I obviously dont understand something really simple here. Could
someone help me see the light? :-)

Im logged in as a local machine admin.


C:\> SQLCMD -E
1> grant create database to [valen\nsLocalDBUsers]
2> go
1> grant alter any login to [valen\nsLocalDBUsers]
2> go
Msg 15151, Level 16, State 1, Server VALEN, Line 1
Cannot find the login 'valen\nsLocalDBUsers', because it does not exist
or
you d
o not have permission.
1>

CREATE DATABASE is a database permission, ALTER ANY LOGIN is a server-
level permission. Database permissions are granted to database principals,
server permissions to logins.

It's certainly interesting that [valen\nsLocalDBUsers] is a database
user, but not a login, particularly if this is the master database.
But I would dig into sys.server_principals and sys.database_principals
to see what anomalies I could find.



--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

With your help, I figured it out. What happened was this. I did a
sp_grantdbaccess [valen\nslocaldbusers] without ever doing the CREATE LOGIN.
The sp_grantdbaccess seems to automatically add the group to db principals,
but not to server principals. Once I did the CREATE LOGIN, the GRANT ALTER
ANY LOGIN worked for that account.

Thank you for pointing me in the right direction.

Joe


.

---

• References:
  • GRANT CREATE DATABASE versus GRANT ALTER ANY LOGIN
    • From: Joe
  • Re: GRANT CREATE DATABASE versus GRANT ALTER ANY LOGIN
    • From: Erland Sommarskog

• Prev by Date: Re: GRANT CREATE DATABASE versus GRANT ALTER ANY LOGIN
• Next by Date: Do Windows Authentication SQL 2k5 Logins survive a sysprep?
• Previous by thread: Re: GRANT CREATE DATABASE versus GRANT ALTER ANY LOGIN
• Next by thread: SQL Server 2005 Security
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: System Administrator Implied Permissions ... > sa login, it assigns it the System Administrator fixed ... > Now, given this, why does SQL Server ... in each database is always a member of the public and db_owner roles. ... Other sysadmin role members have the exact same ... (microsoft.public.sqlserver.security) Re: No db access after publishing web site ... GRANT UPDATE TO ... If I detach and attach this database on a different PC (according that PC ... Cannot open database "pago" requested by the login. ... Are you detaching/attaching the SQL Server Express database correctly ... (microsoft.public.dotnet.framework.aspnet) Re: code access security ... Error 1 CREATE ASSEMBLY for assembly 'GmsSqlClr' failed because assembly ... owner has EXTERNAL ACCESS ASSEMBLY permission and the database has the ... make sure the database owner is mapped to the correct login on ... (microsoft.public.dotnet.languages.csharp) Re: cannot login to the db after... ... Jasper Smith (SQL Server MVP) ... I have created a new database, "db_1", using the "sa" ... I then created a new login, "sqluser1" and gave ... (microsoft.public.sqlserver.security) Re: Cant view merge agent properties (trying again) ... In the List of Actions for the Snapshot Agent History I see this repeated: ... every single database listed. ... So, just now, I went to computername\Administrator Login ID (because it's ... On the computer running SQL Server, ... (microsoft.public.sqlserver.replication)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2007-04