Domain Login can login w/o Entry in SysLogins?

Question

Domain Login can login w/o Entry in SysLogins?

Topher

SSCommitted

Points: 1763
More actions
February 4, 2009 at 1:12 pm

#97143

Is this possible...? I have an domain ID that is active in a DB (SysUsers) but not active in SysLogins. But, the ID can login. The domain acct is not a member of any group that is currently on the server (syslogins).....

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

K. Brian Kelley SSC Guru Points: 114532 More actions · Answer 1

How about a member of a domain group that has been given login rights? Or a member of BUILTIN\Administrators (the local Administrators group on the server) if that hasn't been removed?

K. Brian Kelley
@kbriankelley

Topher SSCommitted Points: 1763 More actions · Answer 2

K. Brian Kelley (2/4/2009)
How about a member of a domain group that has been given login rights? Or a member of BUILTIN\Administrators (the local Administrators group on the server) if that hasn't been removed?

Nope. Not a member of any groups(or nested) that have rights. No builtin...

K. Brian Kelley SSC Guru Points: 114532 More actions · Answer 3

If you run

EXEC xp_logininfo 'Domain\User', 'all'

what do you get?

K. Brian Kelley
@kbriankelley

Topher SSCommitted Points: 1763 More actions · Answer 4

The permission path is pointing to "domain\domain users''.....

Topher SSCommitted Points: 1763 More actions · Answer 5

also, i do not see that login or group members in that group

Topher SSCommitted Points: 1763 More actions · Answer 6

Actually...here is what I found.. Which, brings up another Q!!

So, the ID path is thru "Domain\DomainUsers" and it has ability to login to the server, but no DBs.

Sooo, here is my Q!

*edit*cleanup of the q 🙂 *

AN ID is a member of domain group ABC and the Domain Users group. Now, ABC has access into the a Database with Active Dir group ABC. Domain users ONLY has a server login; no right to dbs

SO!, now, the group ABC is dropped from the server but it's left orphaned on the ABC Database.

So, now technically, the ID can login to the server thru the domain users group(and technically end there w/ that security path). BUT, will the ID now have privs into the DATABASE since the ABC group still is active (but orphaned on the server).

So, the overall question, is can a login use different paths in regards to what it logs into w/ on the server vs what it can use on the DB itself.

:o\