从SQL Server 2012中删除或删除用户时出错

Question

我正在尝试从SQL服务器中删除除默认内置SQL服务器登录之外的所有登录，但我无法删除“\ administrator”帐户。它给了我一个错误：

“服务器主体'\'管理员'已授予一个或多个权限。在删除服务器主体之前撤销权限。”

我尝试使用此查询检查分配给该用户的权限：

Select * from sys.server_permissions where grantor_principal_id = (Select principal_id from sys.server_principals where name = N'<domain>\administrator') 

此查询仅返回与终点对应的一条记录，如下所示：

class   class_desc  major_id    minor_id    grantee_principal_id    grantor_principal_id    type    permission_name state   state_desc

105 ENDPOINT    65536   0   269 259 CO      CONNECT G   GRANT

但是当我尝试使用object explorer检查在任何现有端点上分配给该用户的权限时，我发现没有任何类型的权限给我正在尝试删除的用户。我不确定发生了什么以及在哪里寻找放弃这个用户。任何帮助将不胜感激。

Answer 1

我能够解决这个问题。有两个问题不允许我放弃＆＃34; \ administrator＆＃34;从sql server登录：

1. 发现“ReportServer”和“ReportServerDB”的所有者是“\ administrator”用户
2. 发现“ConfigMgrEndPoint”终点的所有者是“\ administrator”用户。

我把它们都变成了＃34; sa＆＃34;用户然后我成功地删除了用户。我也得到了一位帮助我解决这个问题的同事的专家评论：

将[sa]保留为大多数sql对象的默认所有者是一种很好的做法。如果域用户作为SQL对象的所有者，以后如果该用户在Active Directory中不再存在，则会影响其工作。

Answer 2

您必须检查＆＃34;服务器权限＆＃34;和＆＃34;显式权限＆＃34;。

Answer 3

找出阻止登录丢失的权限是什么 我正在使用https://www.crowd88.com脚本：

SELECT @@SERVERNAME,@@SERVICENAME
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

DECLARE @GrantorName nvarchar(4000)

SET @GrantorName = 'xxx\the_login'  /* Login in Question */

SELECT b.name as Grantor
, c.name as Grantee
, a.state_desc as PermissionState
, a.class_desc as PermissionClass
, a.type as PermissionType
, a.permission_name as PermissionName
, a.major_id as SecurableID 
FROM sys.server_permissions a
JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
JOIN sys.server_principals c
ON a.grantee_principal_id = c.principal_id
WHERE grantor_principal_id =
(
 SELECT principal_id
 FROM sys.server_principals
 WHERE name = @GrantorName
)

，有时还有this个：

--Check to see if they own the endpoint itself:
SELECT SUSER_NAME(principal_id) AS endpoint_owner ,name AS endpoint_name
FROM sys.database_mirroring_endpoints;

--If so, you'll need to change the endpoint owner. Say the endpoint is called Mirroring, and you want to change the owner to SA:
--ALTER AUTHORIZATION ON ENDPOINT::Mirroring TO sa;

或以下this次委托：

--1)  Check to see if this logon only has server level permissions and check to see 
--if this login has granted permissions to another server principal. 
--Use this query to identify the permissions granted.

Select perm.* from sys.server_permissions  perm
INNER JOIN sys.server_principals prin ON perm.grantor_principal_id = prin.principal_id
where prin.name = 'xxx\the_login'   /* Login in Question */

--2) The permissions granted will need to be revoked , to allow the DROP LOGIN to complete. 
--The permissions can be granted again by a suitable LOGIN.

也有与此相关的很好的文章：

these