Getting Active Directory Groups in T-SQL, Part 2

Home » SQL and Databases » Getting Active Directory Groups in T-SQL, Part 2
Photograph of a SSD Drive Array

Following on from my recent post on the subject, I was unhappy with the conclusion of that post, because while I was offering many ways to solve the problem, I wasn’t happy with the code. Connecting to a database should be simple? Well to be fair to Sql/Server it is, but there are numerous ways to work out if a user is in a role, particularly if AD groups are being used as well.

It turns out that the T-SQL function IS_ROLEMEMBER is a pretty good solution apart from one circumstance – that is if the user is also a member of a server role as well, in which case it will return 0 when the user is actually in the role (see the IS_ROLEMEMBER erroneously returns 0 for database role members for further details).

So a solution might be to say something like:

However if you have a lot of roles to check this might be slow and we want user logins to be as fast as possible. Right?

The other alternative I found was to use a query on sys.database_principals, something like this:

You can always add U.name = ‘myuser’ in the where clause.

Thats it, I’m just about done with user authorisation in SQL/server for now. I’ve personally posted about 6 ways to do it. As most of my development is web, this is not something I come across very often. Despite the previous post I am going with one of these two methods for now.

About Phil

I have been working as a software developer since 1983. This blog could have been called "From Fortran 77, C and Cobol to C# in 20 (not so) easy years", but it doesn't sound quite right somehow. Besides I'm talking about what's happened since 2003, not before!

Leave a Reply

Your email address will not be published.


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">




Top Posts & Pages

Categories

Recent Posts

Recent Comments

Archives

Blogroll

  • Mike Cohn's Blog
  • Scott Hanselman's Blog
- mike@mountaingoatsoftware.com

Pervasive myths about agile get in the way of success. It’s time to bust six of those myths. [...]

- mike@mountaingoatsoftware.com

Agile teams strive to finish work in the same iteration in which its begun. Here’s why that is so im [...]

- mike@mountaingoatsoftware.com

I wrote 25 blog posts during 2018. In case you missed some of them, here are the most popular. [...]

- mike@mountaingoatsoftware.com

The iterative and incremental nature of agile makes an agile approach seemingly less compatible with [...]

- mike@mountaingoatsoftware.com

Velocity can be great for predicting how much a team can deliver in a given period. But it needs to [...]

- Scott Hanselman

I've been exploring nopCommerce. It's an open source e-commerce shopping cart. I spoke at [...]

- Scott Hanselman

The optical disc drive is giving out on my GoldStar 3DO machine. It's nearly 30 years old. I wa [...]

- Scott Hanselman

I've long blogged about the intersection of diabetes and technology. From the sad state of diab [...]

- Scott Hanselman

Back in the day, making a Minecraft mod was...challenging. It was a series of JAR files and Java hac [...]

- Scott Hanselman

I've been using ILMerge and various hacks to merge/squish executables together for well over 12 [...]

Meta