Re: Stopping users from truncating logs



Well, I have not done that particular deny, but in general a login's rights are an aggregate of all the rights granted directly to the login or to any groups to which the login belongs. In that aggregation, the DENY overrides any GRANTs.

So, yes, the deny to a domain group of users should override their rights granted through some other route. (If someone is a sysadmin those rights triumph over everthing, including deny statements.)

RLF


"wcochran" <wcochran@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:028DD7E6-D059-4086-B70B-D65075F7363B@xxxxxxxxxxxxxxxx
That is excellent. I'll discuss this with my team and more than likely go
forward with this trace flag option instead.

I do have a follow up question though...

If for some reason we don't go with the trace flag and opt to use the deny
script instead of the trace flag. Will the deny command work on domain
groups of users as well who also have DBO rights to the databases?

Thanks in advance again for the help!

William Cochran


"Jeffrey Williams" wrote:

Review the article at:
http://sqlskills.com/BLOGS/PAUL/post/BACKUP-LOG-WITH-NO_LOG-use-abuse-and-undocumented-trace-flags-to-stop-it.aspx

At the bottom of that blog, Paul identifies the trace flags that can be set
that will make those commands no ops. This would be a much better option
than trying to make sure privileges are denied.

The trace flag you want to set is 3231.

Jeff

"wcochran" <wcochran@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7A6F70DF-879B-43F3-8FF9-05AB3F845B4C@xxxxxxxxxxxxxxxx
> I need to stop users from doing backup log commands to truncate the > logs
> when
> they fill up. I was testing and wrote this script:
>
> revoke backup log from BillyTest
>
> Where BillyTest is my user. BillyTest has DBO rights to the database > in
> question. Yet then I logged in and was still able to run this command:
>
> backup log testdb with truncate_only
>
> Any insight on what I'm doing wrong? Thanks in advance!
>
> William Cochran


.