One common issue that database administrators often run into is the old, familiar “orphaned” user problem. This happens when you use SQL Server Authentication to create a SQL Server login on your database server. When you do this, SQL Server generates a unique SID for that SQL Server login. After you create the SQL Server login, you typically create a database user in a user database on that server instance, and associate the database user with that SQL Server login.
This works fine until you try to restore that user database to another SQL Server instance. If you previously created a SQL Server login with the same UserID on the new server, the SID for that SQL Server login will not match the database user in the user database that you have restored (from the other database instance). Hence the term “orphaned” user. This is an especially big issue if you are using database mirroring, since your database users will be orphans when you failover from one instance to the other instance. It is also an issue with log shipping, and it often comes up when you migrate from an old database server to a new database server.
There are several ways to fix this, but the best thing (outside of just using Windows Authentication and avoiding the problem), is to create the new server login using the same SID as on the original server. Just like you see below:
-- Get Sids for all SQL Server logins on the old server instance SELECT name, [sid] FROM sys.server_principals WHERE [type] = 's'; -- Create new SQL Login on new server instance IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'SQLAppUser') DROP LOGIN SQLAppUser; GO -- Use the sid from the old server instance CREATE LOGIN SQLAppUser WITH PASSWORD = N'YourStrongPassword#', sid = 0x2F5B769F543973419BCEF78DE9FC1A64, DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; GO
6 thoughts on “How To Avoid Orphaned Database Users with SQL Server Authentication”
Cool info Glenn .. Thanks for sharing
Glenn,
Will the following fix the issue by mapping the SQL Login on the new instance to the User in the database and updating the SID for the User as well?
USE database_name;
GO
ALTER USER [database user] WITH LOGIN = [sql language=”login”][/sql];
Hi Glenn
I’ve always used the sp_change_users_login proc to remap orphaned users to the correct login rather than creating them with the original SID. Just wondering if this (i.e. the proc) isn’t the best way or if there’s other advantages to creating the user with the original SID?
Cheers
Alex – I do the same. In fact I wrote up a procedure that maps orphaned users as you describe – have a look if you wish:
http://allen-mcguire.blogspot.com/2009/10/sql-server-map-orphaned-users.html
I do a lot of restores from production to non-production environements so it comes in handy for me.
Idera offers a free tool which creates all of that very nicely, including the passwords and authorizations for the users regardless of the authentication type. Just migrated about 40 DBs from multiple instances from a cluster to standalone servers (don’t ask but they’re using VMs instead of the cluster for the HA) and it created the scripts and pushed over the authorizations nicely. Since I couldn’t go back to the old servers as they old and new servers used the same alias, it was the greatest thing since sliced bread. (For some reason I was given the new SQL instances with a higher patch level than the old one too, so migrating the model, master and msdb was out of the question).
It’s worth checking out.
http://www.idera.com/productssolutions/freetools/sqlpermissionsextractor
Nice tip. And thanks Kevin for that Idera app, it has been really handfull