Microsoft KB Archive/298897

= SAMPLE Stored Procedures That Helps Map SIDs Between User and Master Databases When A Database Is Moved =

Article ID: 298897

Article Last Modified on 11/26/2007

-

APPLIES TO


 * Microsoft SQL Server 7.0 Standard Edition
 * Microsoft SQL Server 2000 Standard Edition

-



This article was previously published under Q298897



SUMMARY
The script in the &quot;More information&quot; section provides two stored procedures, sp_sidmap and sp_prefix_sysusersname, that help you to map the security identification numbers (SIDs) between the user database and the master database after a database moves between two different SQL Server servers as the result of a detach followed by an attach or a backup followed by a restore.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

240872 INF: How to Resolve Permission Issues When a Database is Moved between SQL Servers



MORE INFORMATION
You can use the following script to map SIDs between the user database and the master database when a database is moved.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. /* If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200. For more information about Microsoft Certified Partners, visit the following Microsoft Web site: http://www.microsoft.com/partner/referral/ For more information about the support options available from Microsoft, visit the following page Microsoft Web site: http://support.microsoft.com/directory/overview.asp

-- Allow Ad-Hoc updates to the system tables EXEC sp_configure 'allow updates', 1 Reconfigure with override GO

/****************************************************************/ PRINT 'Creating Stored Procedure: dbo.sp_SidMap' GO /****************************************************************/

IF EXISTS ( SELECT * FROM sysobjects WHERE name = 'sp_SidMap') DROP procedure sp_SidMap GO

CREATE PROCEDURE sp_SidMap @old_domain     varchar(30), -- User Specifies the Old Domain Name @new_domain     varchar(30), -- User Specifies the New Domain Name @old_server     varchar(40), -- User specifies the Old Server from where the database was backed up @new_server      varchar(40)  -- User specifies the New Server where the database is restored to

AS

SET NOCOUNT ON

DECLARE @domains_different_flag CHAR(1)

-- ERROR IF IN USER TRANSACTION IF @@trancount > 0 BEGIN RAISERROR(15289,-1,-1) RETURN(0) END

-- Check to make sure that all the Parameters are passed IF (@old_domain IS NULL) BEGIN PRINT'Error: Pass the Old Domain Name where this database existed before, as the first parameter to the procedure' RETURN(0) END

IF (@new_domain IS NULL) BEGIN PRINT'Error: Pass the New Domain Name where this database is restored to now, as the second parameter to the procedure' PRINT'' PRINT'If the domain is same, pass the old domain as the second parameter, otherwise, pass the new domain name' RETURN(0) END

IF (@old_server IS NULL) BEGIN PRINT'Error: Pass the Old Server Name from where where this database existed before, as the third parameter to the procedure' RETURN(0) END

IF (@new_server IS NULL) BEGIN PRINT'Error: Pass the Current Server Name to where you restored the database, as the fourth parameter to the procedure' RETURN(0) END

-- Only an sa can run this procedure IF ((SELECT suser_id) <> 1) BEGIN PRINT'Error: Only the sa may run sp_sidMap' RETURN(0) END

-- Check to make sure not running in master IF ((SELECT db_name) = 'master') BEGIN PRINT'Error: Please run sp_SidMap in the user database - not master database' RETURN(0) END

-- Set the Flag if the database is moved OR restored to a different domain than the previous domain IF @old_domain <> @new_domain SET @domains_different_flag = 'T' ELSE SET @domains_different_flag = 'F'

PRINT'--' PRINT'MAPPING OF STANDARD LOGINS STARTED' PRINT'--' PRINT''

DECLARE @sysusers_name VARCHAR(500), @sysusers_sid VARBINARY(85) DECLARE @sysxlogins_sid VARBINARY(85), @ret_val INT DECLARE stdsqlusers_cursor CURSOR FOR SELECT name, sid from sysusers WHERE issqluser = 1 AND  issqlrole = 0 AND  isapprole = 0 AND  uid > 3 ORDER BY name OPEN stdsqlusers_cursor WHILE (1 = 1) BEGIN FETCH NEXT FROM stdsqlusers_cursor INTO @sysusers_name, @sysusers_sid IF(@@FETCH_STATUS <> 0) BEGIN CLOSE stdsqlusers_cursor DEALLOCATE stdsqlusers_cursor BREAK END

IF NOT EXISTS (SELECT name FROM master..sysxlogins WHERE name = @sysusers_name) BEGIN EXEC @ret_val = sp_addlogin @loginame = @sysusers_name, @sid = @sysusers_sid IF @ret_val <> 0 BEGIN RAISERROR(15497,16,1,@sysusers_name) PRINT'MSG ****: Please add the Login : ' + @sysusers_name + ' using sp_addlogin.' CONTINUE END END EXEC sp_change_users_login update_one, @sysusers_name, @sysusers_name PRINT'Successfully mapped :  + @sysusers_name + ' PRINT'' END

PRINT'' PRINT'MAPPING OF STANDARD LOGINS COMPLETED' PRINT'' PRINT''

PRINT'' PRINT'' PRINT'MAPPING OF INTEGRATED LOGINS STARTED' PRINT'' PRINT''

PRINT'---' PRINT'Please save the following output and follow the directions given by the text MSG***' PRINT'After you follow all the steps until the end, Re-run the procedure sp_SidMap' PRINT'---' PRINT''

DECLARE integrated_users_cursor CURSOR FOR SELECT name, sid FROM sysusers WHERE (isntgroup = 1 OR isntuser = 1) AND isaliased = 0 AND issqlrole = 0 AND isapprole = 0

CREATE TABLE #t_ambigous_logins(sysxlogins_name VARCHAR(500), sysusers_name VARCHAR(500)) CREATE TABLE #t_mapped_logins(sysusers_name VARCHAR(500), sysxlogins_name VARCHAR(500)) CREATE TABLE #t_created_logins(sysusers_name VARCHAR(500))

DECLARE @new_server_login VARCHAR(500), @old_server_login VARCHAR(500) DECLARE @old_domain_login VARCHAR(500), @new_domain_login VARCHAR(500) DECLARE @strippedoff_sysusers_name VARCHAR(500), @regular_sysusers_name VARCHAR(500) DECLARE @sysusers_count INT, @sysxlogins_count INT DECLARE @sysxlogins_name VARCHAR(500), @has_prefix_flag CHAR(1) DECLARE @no_prefix_local_login CHAR(1), @no_prefix_global_login CHAR(1), @user_is_local_login CHAR(1) OPEN integrated_users_cursor WHILE (1 = 1) BEGIN -- Initialize PARAMS SET @strippedoff_sysusers_name = NULL SET @regular_sysusers_name = NULL SET @old_server_login = NULL SET @new_server_login = NULL SET @old_domain_login = NULL SET @new_domain_login = NULL SET @sysxlogins_count = NULL SET @has_prefix_flag = NULL SET @user_is_local_login = 'F'

FETCH NEXT FROM integrated_users_cursor INTO @sysusers_name, @sysusers_sid IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE integrated_users_cursor BREAK END

--Build a regular version and a stripped off version of sysusers.name IF CHARINDEX('\', @sysusers_name)<> 0 BEGIN SET @strippedoff_sysusers_name = lower(substring(@sysusers_name, (charindex('\', @sysusers_name)+ 1), 256)) SET @has_prefix_flag = 'T'   -- Get a count of matching logins from sysxlogins for this user when the user has a prefix SELECT @sysxlogins_count = COUNT(*) FROM master..sysxlogins WHERE name = @sysusers_name END ELSE IF CHARINDEX('\', @sysusers_name)= 0 BEGIN SET @strippedoff_sysusers_name = lower(@sysusers_name) SET @has_prefix_flag = 'F'

-- Get a count of matching logins from sysxlogins for this user when -- the user does not have a prefix SELECT @sysxlogins_count = COUNT(*) FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_name END

-- Build the New Server, Old Server, Old Domain, New Domain Login strings here SET @old_server_login = @old_server + '\' + @strippedoff_sysusers_name SET @new_server_login = @new_server + '\' + @strippedoff_sysusers_name SET @old_domain_login = @old_domain + '\' + @strippedoff_sysusers_name SET @new_domain_login = @new_domain + '\' + @strippedoff_sysusers_name -- There are two possibilities if the count in sysxlogins = 1. It is either a local -- user that has already been mapped or it is a global user for which nothing needs -- to be done as the database was moved to a Server in the same domain IF @sysxlogins_count = 1 BEGIN -- If the user does not have a prefix, but the sysxlogins table has an entry for this user -- then update sysusers and map the SIDs IF @has_prefix_flag = 'F' BEGIN SELECT @sysxlogins_sid = sid, @sysxlogins_name = name FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_name IF @sysxlogins_sid <> @sysusers_sid BEGIN UPDATE sysusers SET sid = @sysxlogins_sid, name = @sysxlogins_name WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @sysxlogins_name) END END -- has_prefix_flag = F ELSE BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @sysusers_name IF @sysxlogins_sid <> @sysusers_sid BEGIN -- The following is true ONLY when sp_prefix_sysusersname procedure is executed and -- the sysusers.name is changed to a local login or a global login on the new server. UPDATE sysusers SET sid = @sysxlogins_sid WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @sysusers_name) END END -- has_prefix_flag = T      END -- End of sysxlogins_count = 1

-- Begin of sysxlogins_count = 0 IF @sysxlogins_count = 0 BEGIN

-- Initialize the flags SET @no_prefix_local_login = 'F' SET @no_prefix_global_login = 'F'

IF ((@has_prefix_flag = 'T') AND (@sysusers_name = @old_server_login)) BEGIN -- Flag that this is a local user and will not have to be looked at again in the different -- domains section of code. SET @user_is_local_login = 'T' -- Case when sysusers.name has the prefix of the local server name -- and it exists in sysxlogins IF EXISTS(SELECT sid FROM master..sysxlogins WHERE name = @new_server_login) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_server_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_server_login WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @new_server_login) END ELSE BEGIN -- Case when sysusers.name has the prefix of the local server name but it does not -- exist in sysxlogins. So try granting the user account or group access to SQL Server. EXEC @ret_val = sp_grantlogin @new_server_login IF (@ret_val = 0) BEGIN PRINT'' UPDATE sysusers SET name = @new_server_login, sid = ( SELECT sid from master..sysxlogins WHERE name = @new_server_login ) WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@sysusers_name) END ELSE IF (@ret_val = 1) -- If the user account or group cannot be granted access to SQL Server, -- output a message for the user to first create the user account or group. PRINT'MSG ***: Create the Windows NT user account or group.' PRINT'' END END ELSE IF ((@has_prefix_flag = 'T') AND (@sysusers_name = @old_domain_login) AND (@domains_different_flag = 'F')) BEGIN IF EXISTS(SELECT sid FROM master..sysxlogins WHERE name = @old_domain_login) -- Case when sysusers.name has the prefix of the domain name and it exists in sysxlogins -- Nothing needs to be done as this is a global user account or group and the SIDs are same. PRINT'' ELSE BEGIN -- Case when sysusers.name has the prefix of the domain name and it does not exist -- in sysxlogins, first try granting the user account or group access to SQL Server EXEC @ret_val = sp_grantlogin @old_domain_login IF ( @ret_val = 0 ) BEGIN UPDATE sysusers SET name = @old_domain_login, sid = ( SELECT sid from master..sysxlogins WHERE name = @old_domain_login ) WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@old_domain_login) PRINT'' END ELSE IF (@ret_val = 1) BEGIN -- If granting access for the global user account or group to SQL server fails, output a message -- to the user to do it explicitly as it may not be there in rhe domain yet PRINT'MSG ***: Create this Windows NT user account or group on the domain.' PRINT'' END -- @ret_val = 1 END -- If the domain user account or group does not exist in sysxlogins END -- If the has_prefix_flag = 'T' ELSE IF (@has_prefix_flag = 'F') BEGIN -- Case when sysusers.name does not have the prefix and the user does not have an entry -- in sysxlogins. There is no way of knowing which user account or group this belongs to. -- Output a message asking to resolve the user by adding the user account or group -- at the Operating System level and then grant access to SQL Server. PRINT'MSG ***: Unable to resolve the user account or group :  + @sysusers_name + ' PRINT'MSG ***: Create a Windows NT user account or group for the above if it does not already exist.' PRINT'MSG ***: Grant this user account or group access to SQL Server using sp_grantlogin.' PRINT'' END

-- Case where sysusers.name has a prefix of the old domain name or it does not have a prefix -- But, the database has moved to a new domain IF ((@domains_different_flag = 'T') AND (@user_is_local_login = 'F')) BEGIN -- Case when sysusers.name exists in sysxlogins then map the SIDs and change -- the sysusers.name to reflect the new domain name. IF EXISTS ( SELECT sid FROM master..sysxlogins WHERE name = @new_domain_login ) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_domain_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_domain_login WHERE name = @sysusers_name INSERT INTO #t_mapped_logins VALUES(@sysusers_name, @new_domain_login) END ELSE BEGIN IF (@has_prefix_flag = 'T') BEGIN -- Case when sysusers.name has a prefix of the old domain name, but it does not -- exist in the sysxlogins table, try granting the user account or group access to    -- SQL Server. EXEC @ret_val = sp_grantlogin @new_domain_login IF ( @ret_val = 0 ) BEGIN SELECT @sysxlogins_sid = sid FROM master..sysxlogins WHERE name = @new_domain_login UPDATE sysusers SET sid = @sysxlogins_sid, name = @new_domain_login WHERE name = @sysusers_name INSERT INTO #t_created_logins VALUES(@new_domain_login) PRINT'' END ELSE IF ( @ret_val = 1 ) -- If granting the user account or group access to SQL Server fails, give the ability -- for the user to create the user account or group and then grant to SQL Server. BEGIN PRINT'MSG ***: Could not find the global user account or group in the domain ' + @new_domain + '.' PRINT'MSG ***: Create this global user account or group on the new domain.' PRINT'' END -- ret_val = 1 END -- has_prefix_flag = 'T' END -- Else Clause for existence of the domain login in sysxlogins END -- The 'T' Flag END -- The count = 0

IF @sysxlogins_count > 1 BEGIN -- Case when the sysusers.name does not have any prefix and there are multiple logins -- for this user in the sysxlogins table. Example would be a local login and a global -- login with the same name. INSERT INTO #t_ambigous_logins SELECT name, @sysusers_name FROM master..sysxlogins WHERE name LIKE '%\' + @sysusers_name END -- IF COUNT > 1

END -- End the WHILE LOOP

-- Print the login mapping and login creation information IF EXISTS( SELECT 1 FROM #t_mapped_logins ) BEGIN DECLARE mapped_logins_cur CURSOR FOR SELECT sysusers_name, sysxlogins_name FROM #t_mapped_logins DECLARE @sqlstr varchar(1000), @var1 VARCHAR(400), @var2 VARCHAR(400)

PRINT'' PRINT'' PRINT'USER ACCOUNT OR GROUP MAPPING INFORMATION:' PRINT'-' OPEN mapped_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM mapped_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE mapped_logins_cur BREAK END SELECT @sqlstr = ' + RTRIM(@var1) + '+ ' is mapped to ' + ' + RTRIM(@var2) + ' PRINT @sqlstr END END

IF EXISTS( SELECT 1 FROM #t_created_logins ) BEGIN DECLARE created_logins_cur CURSOR FOR SELECT sysusers_name FROM #t_created_logins

PRINT'' PRINT'' PRINT'USER ACCOUNT OR GROUP GRANT AND MAPPING INFORMATION:' PRINT'---' OPEN created_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM created_logins_cur INTO @var1 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE created_logins_cur BREAK END SELECT @sqlstr = '+ @var1 + '+ ' is granted access to SQL Server and then mapped to sysxlogins' PRINT @sqlstr END END

IF EXISTS( SELECT 1 FROM #t_ambigous_logins ) BEGIN DECLARE ambigous_logins_cur CURSOR FOR SELECT RTRIM(sysusers_name), RTRIM(sysxlogins_name) FROM #t_ambigous_logins ORDER BY sysusers_name

PRINT'' PRINT'' PRINT'MULTIPLE LOGINS FOR EACH USER INFORMATION:' PRINT'-' OPEN ambigous_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM ambigous_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE ambigous_logins_cur BREAK END SELECT @sqlstr = 'Name in Sysusers is : ' + '+ @var1 + ' + ',  ' + 'Name in Sysxlogins is : ' + ' + @var2 + ' PRINT @sqlstr END

PRINT'' PRINT'' PRINT'RESOLVE MULTIPLE LOGINS INFORMATION:' PRINT'' DECLARE ambigous_logins_cur CURSOR FOR SELECT RTRIM(sysusers_name), RTRIM(sysxlogins_name) FROM #t_ambigous_logins ORDER BY sysusers_name OPEN ambigous_logins_cur WHILE (1 = 1) BEGIN FETCH NEXT FROM ambigous_logins_cur INTO @var1, @var2 IF(@@FETCH_STATUS <> 0) BEGIN DEALLOCATE ambigous_logins_cur BREAK END SELECT @sqlstr = 'exec sp_Prefix_SysusersName ' + ' + db_name + '+ ', ' + ' + @var1+ ' + ',  + @var2+ ' PRINT @sqlstr END END

PRINT'' PRINT'--' PRINT'MAPPING OF INTEGRATED LOGINS COMPLETED' PRINT'--'

SET NOCOUNT OFF

RETURN(1) -- End of Procedure sp_SidMap GO

IF EXISTS ( Select name from sysobjects where name = 'sp_Prefix_SysusersName') DROP PROCEDURE sp_Prefix_SysusersName

SET QUOTED_IDENTIFIER ON SET ANSI_NULLS ON GO

/****************************************************************/ PRINT 'Creating Stored Procedure: dbo.sp_Prefix_SysusersName' GO /****************************************************************/

CREATE PROCEDURE sp_Prefix_SysusersName @database_name      VARCHAR(123),  -- User specifies the database @old_sysusersname   VARCHAR(300),  -- User specifies the Old     sysusers.name @new_sysusersname   VARCHAR(300)         -- User specifies the New     Sysusers.name AS DECLARE @var varchar(500)

PRINT'************************************************' PRINT'This procedure is ONLY to be used in conjuntion with the sp_SidMap procedure that is referenced in Knowledge Base Article 240872' PRINT'' PRINT'This procedure updates the sysusers table to a new name when an old name and new name is specified' PRINT'************************************************' PRINT'' -- ERROR IF IN USER TRANSACTION -- IF @@trancount > 0 BEGIN RAISERROR(15289,-1,-1) RETURN (0) END -- Only an sa can run this procedure IF ((SELECT suser_id) <> 1) BEGIN PRINT 'Error: Only the sa may run sp_Prefix_SysusersName' RETURN(0) END IF (@database_name IS NULL) BEGIN PRINT 'Error: Pass the Database Name that was moved or restored, as the first parameter to the procedure' RETURN(0) END IF (@old_sysusersname IS NULL) BEGIN PRINT 'Error: Pass the Old Sysusers.name that has the problem, as the second parameter to the procedure' RETURN(0) END IF (@new_sysusersname IS NULL) BEGIN PRINT 'Error: Pass the New Sysusers.name to correct the problem, as the third parameter to the procedure' RETURN(0) END IF EXISTS( SELECT 1 FROM sysusers where name = @old_sysusersname ) BEGIN SELECT @var = 'UPDATE ' + @database_name + '..sysusers set name = ' + '+ @new_sysusersname + ' +' where name = ' + '+ @old_sysusersname + ' EXEC (@var) PRINT'Successfully updated the user from ' + ' + @old_sysusersname + ' + ' to ' + ' + @new_sysusersname + ' PRINT'' END ELSE BEGIN PRINT'MSG ***: The username ' + '+ @old_sysusersname + ' + ' does not exist in the database ' + ' + @database_name + ' PRINT'MSG ***: Make sure you specify the correct username.' END GO

SET QUOTED_IDENTIFIER OFF SET ANSI_NULLS ON GO

Keywords: kbdownload kbfile kbinfo KB298897

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.