Sorry if sounds simple or stupid to ask, however, I have a scenario that a user can log into SQL server instance SSMS 18.9.2 using Windows credentials and query into databases and tables while I see no record of that user into Security folder/section/dB of same instance of SQL server.
Could someone be kind and tell me how this is even possible?
thanks,
I looked over all available Security accounts, individuals and groups and found no relation to that user at all.
1条答案
按热度按时间exdqitrt1#
I have a scenario that a user can log into SQL server instance SSMS 18.9.2 using Windows credentials and query into databases and tables while I see no record of that user into Security folder/section/dB of same instance of SQL server.
A Windows authenticated account can access the SQL instance without a individual account login if the user is a member of a Windows AD group login with server
CONNECT SQLpermission. Furthermore, the account can access an individual database if the user is a member of a Windows AD group with databaseCONNECTpermission. AD groups can be nested (groups within groups) and a user can be a member of multiple groups so it can be tricky to determine if an individual account has access to the instance and corresponding permission path using the SSMS UI.Run xp_logininfo for the user account to list the AD group memberships (permission path) with
CONNECT SQLpermission. The account will also have access to an individual database if the user hasCONNECTpermission in the database, either directly or via AD group membership.