Search sqlserver-dba.com
Follow sqlserver-dba.com
*Use the Comments section for questions
SQLServer-DBA.com Links
Recent Posts
- How to find privilege changes with SQL Server Default Trace
- sys.dm_server_services - How to check if SQL Server service is running or not?
- Msg 3023, Level 16, State 2 Backup, file manipulation operations (such as ALTER DATABASE ADD FILE) and encryption changes on a database must be serialized. Reissue the statement after the current backup or file manipulation operation is completed.
- Can we restore a database to an older version in SQL Server?
- How do I save all SQL Agent Jobs
- How to view SQL Server mount point space without access to server
- DBCC SHRINKFILE: page could not be moved because it is a work table page.
- SQL Agent Last Modified explanation
- Sql certificate chain was issued by an authority that is not trusted
- sqlserver-dba.com switching from feedburner to follow.it
SQL Server – Find who made a database security change
01 January,2013 by Tom Collins
A nightly SQL Server Agent batch job started failing suddenly , with a message about a database user missing.
The SQL Server Agent job history indicated the job ran successfully for 6 months. Either someone had restored the database to a much older version or a database user was deleted.
The SQL Server default trace has an event - Audit Add DB User . The event is recorded in the trace when a login is added\removed as a database user.
This query returns all events of the Audit Add DB User . Luckily , the trace file hadn’t yet rolled over. Keep in mind the SQL Server default trace file has 5 trace files @ 20 MB each. If the system is very busy , these files can roll over quickly
Using the query – I was able to discover the TargetUserName, database name , time of change and under what login name the change occurred.
Script to find who made a SQL database security changes
SELECT te.trace_event_id,
TE.name AS [EventName] ,
T.EventSubClass,
T.TargetUserName,
T.DatabaseName ,
t.DatabaseID ,
t.NTDomainName ,
t.ApplicationName ,
t.LoginName ,
t.SPID ,
t.Duration ,
t.StartTime ,
t.EndTime
FROM sys.fn_trace_gettable(CONVERT(VARCHAR(150), ( SELECT TOP 1
f.[value]
FROM sys.fn_trace_getinfo(NULL) f
WHERE f.property = 2
)), DEFAULT) T
JOIN sys.trace_events TE ON T.EventClass = TE.trace_event_id
WHERE t.StartTime > GETDATE() -1
and te.name = 'Audit Add DB User Event'
ORDER BY t.StartTime ;
Read More on SQL trace events and SQL Server Security
SQL Server – default trace FAQ - SQL Server DBA
SQL Server – Audit Backup\Restore Event with SQL Default trace ...
How to create a SQL Server Security Audit - SQL Server DBA
Powershell sql server security audit - SQL Server DBA
Author: Tom Collins (http://www.sqlserver-dba.com)
Share:
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |