Why should you care about users with elevated permissions in SQL Server?

The security model offered by Microsoft SQL Server is highly configurable and very robust when all security best practices are followed.

Why should you care about it?

The least-privileged user account (LUA) approach is an essential part of a defensive, in-depth strategy for countering security threats.

By the way, this check is a part of our SQL Server Health Check service.

LUA says that a user must be granted only those privileges, which are required to perform his task – nothing more, nothing less.

It is a best practice that can avoid many future issues like somebody rename or drop an object accidentally.

You can learn more about SQL Server database engine permissions in the Microsoft documentation.

How can I find users with elevated permissions in SQL Server?

SysAdmin users

Run the query below to list all the users with that are sysadmins or have GRANT CONTROL SERVER.

  1. USE master
  2. GO
  3. SELECT DISTINCT p.name AS [loginname] ,
  4. p.type ,
  5. p.type_desc ,
  6. p.is_disabled,
  7. s.sysadmin,
  8. CONVERT(VARCHAR(10),p.create_date ,101) AS [created],
  9. CONVERT(VARCHAR(10),p.modify_date , 101) AS [update]
  10. FROM sys.server_principals p
  11. JOIN sys.syslogins s ON p.sid = s.sid
  12. JOIN sys.server_permissions sp ON p.principal_id = sp.grantee_principal_id
  13. WHERE p.type_desc IN ('SQL_LOGIN', 'WINDOWS_LOGIN', 'WINDOWS_GROUP')
  14. -- Logins that are not process logins
  15. AND p.name NOT LIKE '##%'
  16. AND (s.sysadmin = 1 OR sp.permission_name = 'CONTROL SERVER')
  17. ORDER BY p.name

Database owners

Run the query below to list all the users mapped to db_owner role.

  1. exec sp_msForEachDb ' use [?]
  2. select db_name() as [database_name], r.[name] as [role], p.[name] as [member] from
  3. sys.database_role_members m
  4. join
  5. sys.database_principals r on m.role_principal_id = r.principal_id
  6. join
  7. sys.database_principals p on m.member_principal_id = p.principal_id
  8. where
  9. r.name = ''db_owner'''

How to reduce user permissions

Choose lower permission to the users listed if they don’t need to have these privileges.

Remove the user from the sysadmin server role when possible.

Use db_datareader and db_datawriter roles to give people the right to read and write to any table in the database.

Among several options, you can edit roles for an existing user using SQL Server Management Studio:

  1. Firstly, go into Security, Logins, and right-click on a login
  2. In the User Mapping tab, remove (uncheck) the login from the roles for each database – Make sure the users got some kind of access to do their queries.
Figure 1 – Login properties.

More information

Microsoft – Getting Started with Database Engine Permissions
Microsoft – Server and Database Roles in SQL Server 

Mark Varnas

Mark Varnas

Hey I'm Mark, one of the guys behind Red9. I make a living performance tuning SQL Servers and making them more stable. I channel my SQL into our SQL Managed Services, SQL Consulting and our internal database products.

Leave a Reply

Your email address will not be published. Required fields are marked *