db_owners unable to see login list

From: SkyGringo <doug@xxxxxx>
Date: Wed, 18 Jul 2007 14:13:40 -0700

Hi. We are using SQL Server 2005 64-bit on Windows Server 2003 R2 x64
Enterprise Edition. I have a really weird problem where I have people
out there who are placed in the db_owner, db_accessadmin, and
db_securityadmin roles in their database, and yet they are unable to
add new users to their databases, despite the fact that logins exist
for these users on the server. The reason is that when attempting to
add a new user in Management Studio, upon using the "Browse" option to
look at the logins, the complete list is not presented to them. In
fact, they only see a couple of logins or so (the server has hundreds
of logins). Also, if they try to type in the login name directly,
they get a "permission denied" error message. Since they cannot add
users to their databases, they have to call me and have me do it for
them.

I created a test, non-privileged, SQL-authenticated login to test
things for my own sake, and when logged in under the test account, I
saw the same behavior. I had db_owner role for a single test
database, and when I went to add users, the only server logins that
were displayed were my own (the test login in this case) and that of
sa. Further, when I queried the master.sys.syslogins view, I saw the
same thing, it only came back with the rows for myself and sa.

It appears that this is clearly a security problem, but I'm not sure
at what level to look. We never had this problem with SQL Server 2000
or earlier. Does anyone have any idea what I can do to allow my
db_owners to see all the server logins, and therefore be able to add
users to their databases as they see fit? I really do NOT want to
assign them to server-level security roles, for obvious reasons.

Thanks,
SkyGringo

.

Follow-Ups:
- Re: db_owners unable to see login list
  - From: Erland Sommarskog

Prev by Date: Re: How write this sentence with T-SQL
Next by Date: Re: Combining many records into 1
Previous by thread: How write this sentence with T-SQL
Next by thread: Re: db_owners unable to see login list
Index(es):
- Date
- Thread

Relevant Pages

Re: object level permissions being lost when migrating
... I first transferred the logins from the 2000 server to the 2005 server via ... I then restored the databases and re-synched the users via the ... Errors After Restoring Dump ...
(microsoft.public.sqlserver.security)
Re: Move databases between servers
... What I'm trying to do now is to copy master. ... Now I'm reinstalling sql with identical version, and restore all databases ... Since the logins are in master and operators/agents are in msdb why I ... copy all database and log files to new server ...
(microsoft.public.sqlserver.setup)
Re: Copying Databases From Server to Another
... Manager, for SQL Server instances, which takes care to move logins and msdb ... you can perhaps full backup and restore on the new server users databases... ... you could then script the logins out and recreate them on the destination ...
(microsoft.public.sqlserver.msde)
Re: moving server to a new box
... for SQL Server ... There are> about 100 user databases with a lot of logins and jobs. ...
(microsoft.public.sqlserver.server)
Re: Membership download
... SSIS task does not include the property for ALTER AUTHORIZATION ON SCHEMA. ... How to move databases between computers that are running SQL Server ... With SSIS transfer object task, if your destination server has no logins, ...
(microsoft.public.sqlserver.dts)