|
matt_calhoon
Posting Yak Master
235 Posts |
 Posted - 2004-07-11 : 22:24:20
|
| Hi there,Ive downloaded some scripts from Microsoft (sp_sidmap.sql) which you run against your user database. This creates 2 stored procs which allow for you to remap orphaned users. the first line of this procedure has the following script:EXEC sp_configure 'allow updates', 1Reconfigure with overrideBut nowhere in the script sets the allow updates back to 0. Should I do this manually?here is the script:/*Microsoft provides programming examples for illustration only, without warrantyeither expressed or implied, including, but not limited to, the impliedwarranties of merchantability and/or fitness for a particular purpose. Thisarticle assumes that you are familiar with the programming language beingdemonstrated and the tools used to create and debug procedures. Microsoftsupport professionals can help explain the functionality of a particularprocedure, but they will not modify these examples to provide addedfunctionality or construct procedures to meet your specific needs. If you havelimited programming experience, you may want to contact a Microsoft CertifiedPartner or the Microsoft fee-based consulting line at (800) 936-5200. For moreinformation about Microsoft Certified Partners, please see the following page onthe World Wide Web: http://www.microsoft.com/partner/referral/ For more information about the support options available from Microsoft, pleasesee the following page on the World Wide Web: http://support.microsoft.com/directory/overview.asp*/-- Allow Ad-Hoc updates to the system tablesEXEC sp_configure 'allow updates', 1Reconfigure with overrideGO/****************************************************************/ PRINT 'Creating Stored Procedure: dbo.sp_SidMap'GO/****************************************************************/ IF EXISTS ( SELECT * FROM sysobjects WHERE name = 'sp_SidMap') DROP procedure sp_SidMapGOCREATE PROCEDURE sp_SidMap@old_domain varchar(30), -- User Specifies the Old Domain Name@new_domain varchar(30), -- User Specifies the New Domain Name@old_server varchar(40), -- User specifies the Old Server from where the database was backed up@new_server varchar(40) -- User specifies the New Server where the database is restored to ASSET NOCOUNT ONDECLARE @domains_different_flag CHAR(1)-- ERROR IF IN USER TRANSACTIONIF @@trancount > 0BEGIN RAISERROR(15289,-1,-1) RETURN(0)END-- Check to make sure that all the Parameters are passedIF (@old_domain IS NULL)BEGIN PRINT'Error: Pass the Old Domain Name where this database existed before, as the first parameter to the procedure' RETURN(0)ENDIF (@new_domain IS NULL)BEGIN PRINT'Error: Pass the New Domain Name where this database is restored to now, as the second parameter to the procedure' PRINT'' PRINT'If the domain is same, pass the old domain as the second parameter, otherwise, pass the new domain name' RETURN(0)ENDIF (@old_server IS NULL)BEGIN PRINT'Error: Pass the Old Server Name from where where this database existed before, as the third parameter to the procedure' RETURN(0)ENDIF (@new_server IS NULL)BEGIN PRINT'Error: Pass the Current Server Name to where you restored the database, as the fourth parameter to the procedure' RETURN(0)END-- Only an sa can run this procedureIF ((SELECT suser_id()) <> 1)BEGIN PRINT'Error: Only the sa may run sp_sidMap' RETURN(0)END-- Check to make sure not running in masterIF ((SELECT db_name()) = 'master')BEGIN PRINT'Error: Please run sp_SidMap in the user database - not master database' RETURN(0)END-- Set the Flag if the database is moved OR restored to a different domain than the previous domainIF @old_domain <> @new_domain SET @domains_different_flag = 'T'ELSE SET @domains_different_flag = 'F'PRINT'----------------------------------'PRINT'MAPPING OF STANDARD LOGINS STARTED'PRINT'----------------------------------'PRINT''DECLARE @sysusers_name VARCHAR(500), @sysusers_sid VARBINARY(85)DECLARE @sysxlogins_sid VARBINARY(85), @ret_val INTDECLARE stdsqlusers_cursor CURSOR FOR SELECT name, sid from sysusers WHERE issqluser = 1 AND issqlrole = 0 AND isapprole = 0 AND uid > 3ORDER BY name OPEN stdsqlusers_cursor WHILE (1 = 1)BEGIN FETCH NEXT FROM stdsqlusers_cursor INTO @sysusers_name, @sysusers_sid IF(@@FETCH_STATUS <> 0) BEGIN CLOSE stdsqlusers_cursor DEALLOCATE stdsqlusers_cursor BREAK END IF NOT EXISTS (SELECT name FROM master..sysxlogins WHERE name = @sysusers_name) BEGIN EXEC @ret_val = sp_addlogin @loginame = @sysusers_name, @sid = @sysusers_sid IF @ret_val <> 0 BEGIN RAISERROR(15497,16,1,@sysusers_name) PRINT'MSG ****: Please add the Login : ' + @sysusers_name + ' using sp_addlogin.' CONTINUE END END EXEC sp_change_users_login update_one, @sysusers_name, @sysusers_name PRINT'Successfully mapped : ''' + @sysusers_name + '''' PRINT'' ENDPRINT'------------------------------------'PRINT'MAPPING OF STANDARD LOGINS COMPLETED'PRINT'------------------------------------'PRINT''PRINT''PRINT'------------------------------------'PRINT'MAPPING OF INTEGRATED LOGINS STARTED'PRINT'------------------------------------'PRINT''PRINT'-----------------------------------------------------------------------------------'PRINT'Please save the following output and follow the directions given by the text MSG***'PRINT'After you follow all the steps until the end, Re-run the procedure sp_SidMap'PRINT'-----------------------------------------------------------------------------------'PRINT''DECLARE integrated_users_cursor CURSORFOR SELECT name, sid FROM sysusers WHERE (isntgroup = 1 OR isntuser = 1) AND isaliased = 0 AND issqlrole = 0 AND isapprole = 0CREATE TABLE #t_ambigous_logins(sysxlogins_name VARCHAR(500), sysusers_name VARCHAR(500))CREATE TABLE #t_mapped_logins(sysusers_name VARCHAR(500), sysxlogins_name VARCHAR(500))CREATE TABLE #t_created_logins(sysusers_name VARCHAR(500))DECLARE @new_server_login VARCHAR(500), @old_server_login VARCHAR(500)DECLARE @old_domain_login VARCHAR(500), @new_domain_login VARCHAR(500)DECLARE @strippedoff_sysusers_name VARCHAR(500), @regular_sysusers_name VARCHAR(500)DECLARE @sysusers_count INT, @sysxlogins_count INTDECLARE @sysxlogins_name VARCHAR(500), @has_prefix_flag CHAR(1)DECLARE @no_prefix_local_login CHAR(1), @no_prefix_global_login CHAR(1), @user_is_local_login CHAR(1) OPEN integrated_users_cursorWHILE (1 = 1)BEGIN -- Initialize PARAMS SET @strippedoff_sysusers_name = NULL SET @regular_sysusers_name = NULL SET @old_server_login = NULL SET @new_server_login = NULL SET @old_domain_login = NULL SET @new_domain_login = NULL SET @sysxlogins_count = NULL SET @has_prefix_flag = NULL SET @user_is_local_login = 'F' FETCH NEXT FROM integrated_users_cursor INTO @sysusers_name, @sysusers_sid IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE integrated_users_cursor BREAK END --Build a regular version and a stripped off version of sysusers.name IF CHARINDEX('\', @sysusers_name)<> 0 BEGIN SET @strippedoff_sysusers_name = lower(substring(@sysusers_name, (charindex('\', @sysusers_name)+ 1), 256)) SET @has_prefix_flag = 'T' -- Get a count of matching logins from sysxlogins for this user when the user has a prefix SELECT @sysxlogins_count = COUNT(*) FROM master..sysxlogins WHERE name = @sysusers_name END ELSE IF CHARINDEX('\', @sysusers_name)= 0 BEGIN SET @strippedoff_sysusers_name = lower(@sysusers_name) SET @has_prefix_flag = 'F' -- Get a count of matching logins from sysxlogins for this user when -- the user does not have a prefix SELECT @sysxlogins_count = COUNT(*) FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_name END -- Build the New Server, Old Server, Old Domain, New Domain Login strings here SET @old_server_login = @old_server + '\' + @strippedoff_sysusers_name SET @new_server_login = @new_server + '\' + @strippedoff_sysusers_name SET @old_domain_login = @old_domain + '\' + @strippedoff_sysusers_name SET @new_domain_login = @new_domain + '\' + @strippedoff_sysusers_name -- There are two possibilities if the count in sysxlogins = 1. It is either a local -- user that has already been mapped or it is a global user for which nothing needs -- to be done as the database was moved to a Server in the same domain IF @sysxlogins_count = 1 BEGIN -- If the user does not have a prefix, but the sysxlogins table has an entry for this user -- then update sysusers and map the SIDs IF @has_prefix_flag = 'F' BEGIN SELECT @sysxlogins_sid = sid, @sysxlogins_name = name FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_name IF @sysxlogins_sid <> @sysusers_sid BEGIN UPDATE sysusers SET sid = @sysxlogins_sid, name = @sysxlogins_name WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @sysxlogins_name) END END -- has_prefix_flag = F ELSE BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @sysusers_name IF @sysxlogins_sid <> @sysusers_sid BEGIN -- The following is true ONLY when sp_prefix_sysusersname procedure is executed and -- the sysusers.name is changed to a local login or a global login on the new server. UPDATE sysusers SET sid = @sysxlogins_sid WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @sysusers_name) END END -- has_prefix_flag = T END -- End of sysxlogins_count = 1-- Begin of sysxlogins_count = 0 IF @sysxlogins_count = 0BEGIN-- Initialize the flagsSET @no_prefix_local_login = 'F'SET @no_prefix_global_login = 'F'IF ((@has_prefix_flag = 'T') AND (@sysusers_name = @old_server_login))BEGIN -- Flag that this is a local user and will not have to be looked at again in the different -- domains section of code. SET @user_is_local_login = 'T' -- Case when sysusers.name has the prefix of the local server name -- and it exists in sysxlogins IF EXISTS(SELECT sid FROM master..sysxlogins WHERE name = @new_server_login) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_server_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_server_login WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @new_server_login) END ELSE BEGIN -- Case when sysusers.name has the prefix of the local server name but it does not -- exist in sysxlogins. So try granting the user account or group access to SQL Server. EXEC @ret_val = sp_grantlogin @new_server_login IF (@ret_val = 0) BEGIN PRINT'' UPDATE sysusers SET name = @new_server_login, sid = ( SELECT sid from master..sysxlogins WHERE name = @new_server_login ) WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@sysusers_name) END ELSE IF (@ret_val = 1) -- If the user account or group cannot be granted access to SQL Server, -- output a message for the user to first create the user account or group. PRINT'MSG ***: Create the Windows NT user account or group.' PRINT'' ENDENDELSE IF ((@has_prefix_flag = 'T') AND (@sysusers_name = @old_domain_login) AND (@domains_different_flag = 'F'))BEGIN IF EXISTS(SELECT sid FROM master..sysxlogins WHERE name = @old_domain_login) -- Case when sysusers.name has the prefix of the domain name and it exists in sysxlogins -- Nothing needs to be done as this is a global user account or group and the SIDs are same. PRINT'' ELSE BEGIN -- Case when sysusers.name has the prefix of the domain name and it does not exist -- in sysxlogins, first try granting the user account or group access to SQL Server EXEC @ret_val = sp_grantlogin @old_domain_login IF ( @ret_val = 0 ) BEGIN UPDATE sysusers SET name = @old_domain_login, sid = ( SELECT sid from master..sysxlogins WHERE name = @old_domain_login ) WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@old_domain_login) PRINT'' END ELSE IF (@ret_val = 1) BEGIN -- If granting access for the global user account or group to SQL server fails, output a message -- to the user to do it explicitly as it may not be there in rhe domain yet PRINT'MSG ***: Create this Windows NT user account or group on the domain.' PRINT'' END -- @ret_val = 1 END -- If the domain user account or group does not exist in sysxloginsEND -- If the has_prefix_flag = 'T'ELSE IF (@has_prefix_flag = 'F')BEGIN-- Case when sysusers.name does not have the prefix and the user does not have an entry -- in sysxlogins. There is no way of knowing which user account or group this belongs to.-- Output a message asking to resolve the user by adding the user account or group -- at the Operating System level and then grant access to SQL Server. PRINT'MSG ***: Unable to resolve the user account or group : ''' + @sysusers_name + '''' PRINT'MSG ***: Create a Windows NT user account or group for the above if it does not already exist.' PRINT'MSG ***: Grant this user account or group access to SQL Server using sp_grantlogin.' PRINT''END-- Case where sysusers.name has a prefix of the old domain name or it does not have a prefix-- But, the database has moved to a new domainIF ((@domains_different_flag = 'T') AND (@user_is_local_login = 'F'))BEGIN-- Case when sysusers.name exists in sysxlogins then map the SIDs and change -- the sysusers.name to reflect the new domain name. IF EXISTS ( SELECT sid FROM master..sysxlogins WHERE name = @new_domain_login ) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_domain_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_domain_login WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @new_domain_login) END ELSE BEGIN IF (@has_prefix_flag = 'T') BEGIN -- Case when sysusers.name has a prefix of the old domain name, but it does not -- exist in the sysxlogins table, try granting the user account or group access to -- SQL Server. EXEC @ret_val = sp_grantlogin @new_domain_login IF ( @ret_val = 0 ) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_domain_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_domain_login WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@new_domain_login) PRINT'' END ELSE IF ( @ret_val = 1 ) -- If granting the user account or group access to SQL Server fails, give the ability -- for the user to create the user account or group and then grant to SQL Server. BEGIN PRINT'MSG ***: Could not find the global user account or group in the domain ' + @new_domain + '.' PRINT'MSG ***: Create this global user account or group on the new domain.' PRINT'' END -- ret_val = 1 END -- has_prefix_flag = 'T' END -- Else Clause for existence of the domain login in sysxlogins END -- The 'T' FlagEND -- The count = 0IF @sysxlogins_count > 1BEGIN-- Case when the sysusers.name does not have any prefix and there are multiple logins -- for this user in the sysxlogins table. Example would be a local login and a global -- login with the same name. INSERT INTO #t_ambigous_logins SELECT name, @sysusers_name FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_nameEND -- IF COUNT > 1END -- End the WHILE LOOP-- Print the login mapping and login creation information IF EXISTS( SELECT 1 FROM #t_mapped_logins )BEGIN DECLARE mapped_logins_cur CURSOR FOR SELECT sysusers_name, sysxlogins_name FROM #t_mapped_logins DECLARE @sqlstr varchar(1000), @var1 VARCHAR(400), @var2 VARCHAR(400) PRINT'' PRINT'' PRINT'USER ACCOUNT OR GROUP MAPPING INFORMATION:' PRINT'-----------------------------------------' OPEN mapped_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM mapped_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE mapped_logins_cur BREAK END SELECT @sqlstr = '''' + RTRIM(@var1) + ''''+ ' is mapped to ' + '''' + RTRIM(@var2) + '''' PRINT @sqlstr ENDENDIF EXISTS( SELECT 1 FROM #t_created_logins )BEGIN DECLARE created_logins_cur CURSOR FOR SELECT sysusers_name FROM #t_created_logins PRINT'' PRINT'' PRINT'USER ACCOUNT OR GROUP GRANT AND MAPPING INFORMATION:' PRINT'---------------------------------------------------' OPEN created_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM created_logins_cur INTO @var1 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE created_logins_cur BREAK END SELECT @sqlstr = ''''+ @var1 + ''''+ ' is granted access to SQL Server and then mapped to sysxlogins' PRINT @sqlstr ENDENDIF EXISTS( SELECT 1 FROM #t_ambigous_logins )BEGIN DECLARE ambigous_logins_cur CURSOR FOR SELECT RTRIM(sysusers_name), RTRIM(sysxlogins_name) FROM #t_ambigous_logins ORDER BY sysusers_name PRINT'' PRINT'' PRINT'MULTIPLE LOGINS FOR EACH USER INFORMATION:' PRINT'-----------------------------------------' OPEN ambigous_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM ambigous_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE ambigous_logins_cur BREAK END SELECT @sqlstr = 'Name in Sysusers is : ' + ''''+ @var1 + '''' + ' , ' + 'Name in Sysxlogins is : ' + '''' + @var2 + '''' PRINT @sqlstr END PRINT'' PRINT'' PRINT'RESOLVE MULTIPLE LOGINS INFORMATION:' PRINT'------------------------------------' DECLARE ambigous_logins_cur CURSOR FOR SELECT RTRIM(sysusers_name), RTRIM(sysxlogins_name) FROM #t_ambigous_logins ORDER BY sysusers_name OPEN ambigous_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM ambigous_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE ambigous_logins_cur BREAK END SELECT @sqlstr = 'exec sp_Prefix_SysusersName ' + '''' + db_name() + ''''+ ', ' + '''' + @var1+ '''' + ', ''' + @var2+ '''' PRINT @sqlstr ENDENDPRINT''PRINT'--------------------------------------'PRINT'MAPPING OF INTEGRATED LOGINS COMPLETED'PRINT'--------------------------------------'SET NOCOUNT OFFRETURN(1)-- End of Procedure sp_SidMapGOIF EXISTS ( Select name from sysobjects where name = 'sp_Prefix_SysusersName') DROP PROCEDURE sp_Prefix_SysusersNameSET QUOTED_IDENTIFIER ON SET ANSI_NULLS ON GO/****************************************************************/ PRINT 'Creating Stored Procedure: dbo.sp_Prefix_SysusersName'GO/****************************************************************/ CREATE PROCEDURE sp_Prefix_SysusersName @database_name VARCHAR(123), -- User specifies the database @old_sysusersname VARCHAR(300), -- User specifies the Old sysusers.name @new_sysusersname VARCHAR(300) -- User specifies the New Sysusers.nameASDECLARE @var varchar(500)PRINT'************************************************'PRINT'This procedure is ONLY to be used in conjuntion with the sp_SidMap procedure that is referenced in the Knowledge Base Article - Q240872'PRINT''PRINT'This procedure updates the sysusers table to a new name when an old name and new name is specified'PRINT'************************************************'PRINT'' -- ERROR IF IN USER TRANSACTION --IF @@trancount > 0BEGIN RAISERROR(15289,-1,-1) RETURN (0)END -- Only an sa can run this procedureIF ((SELECT suser_id()) <> 1)BEGIN PRINT 'Error: Only the sa may run sp_Prefix_SysusersName' RETURN(0)END IF (@database_name IS NULL)BEGIN PRINT 'Error: Pass the Database Name that was moved or restored, as the first parameter to the procedure' RETURN(0)END IF (@old_sysusersname IS NULL)BEGIN PRINT 'Error: Pass the Old Sysusers.name that has the problem, as the second parameter to the procedure' RETURN(0)END IF (@new_sysusersname IS NULL)BEGIN PRINT 'Error: Pass the New Sysusers.name to correct the problem, as the third parameter to the procedure' RETURN(0)END IF EXISTS( SELECT 1 FROM sysusers where name = @old_sysusersname )BEGIN SELECT @var = 'UPDATE ' + @database_name + '..sysusers set name = ' + ''''+ @new_sysusersname + '''' +' where name = ' + ''''+ @old_sysusersname + '''' EXEC (@var) PRINT'Successfully updated the user from ' + '''' + @old_sysusersname + '''' + ' to ' + '''' + @new_sysusersname + '''' PRINT''ENDELSEBEGIN PRINT'MSG ***: The username ' + ''''+ @old_sysusersname + '''' + ' does not exist in the database ' + '''' + @database_name + '''' PRINT'MSG ***: Make sure you specify the correct username.'ENDGOSET QUOTED_IDENTIFIER OFF SET ANSI_NULLS ON GO |
|
sp_SidMap