Getting Active Directory Groups in T-SQL, Part 2

Home » SQL and Databases » Getting Active Directory Groups in T-SQL, Part 2
Photograph of a SSD Drive Array

Following on from my recent post on the subject, I was unhappy with the conclusion of that post, because while I was offering many ways to solve the problem, I wasn’t happy with the code. Connecting to a database should be simple? Well to be fair to Sql/Server it is, but there are numerous ways to work out if a user is in a role, particularly if AD groups are being used as well.

It turns out that the T-SQL function IS_ROLEMEMBER is a pretty good solution apart from one circumstance – that is if the user is also a member of a server role as well, in which case it will return 0 when the user is actually in the role (see the IS_ROLEMEMBER erroneously returns 0 for database role members for further details).

So a solution might be to say something like:

However if you have a lot of roles to check this might be slow and we want user logins to be as fast as possible. Right?

The other alternative I found was to use a query on sys.database_principals, something like this:

You can always add U.name = ‘myuser’ in the where clause.

Thats it, I’m just about done with user authorisation in SQL/server for now. I’ve personally posted about 6 ways to do it. As most of my development is web, this is not something I come across very often. Despite the previous post I am going with one of these two methods for now.

About Phil

I have been working as a software developer since 1983. This blog could have been called "From Fortran 77, C and Cobol to C# in 20 (not so) easy years", but it doesn't sound quite right somehow. Besides I'm talking about what's happened since 2003, not before!

Leave a Reply

Your email address will not be published.


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">




Top Posts & Pages

Categories

Recent Posts

Recent Comments

Archives

Blogroll

  • Mike Cohn's Blog
  • Scott Hanselman's Blog
- mike@mountaingoatsoftware.com

In an ideal world, a Scrum team could perform the work of its sprints entirely uninterrupted. Produc [...]

- mike@mountaingoatsoftware.com

Do Scrum long enough and someone will suggest stopping the daily scrums. Here’s how to reply. [...]

- mike@mountaingoatsoftware.com

When estimating in story points, teams should think in terms of ranges and rounding up. Here’s why. [...]

- mike@mountaingoatsoftware.com

Batman would make the perfect Scrum Master. Once he eliminates crime in Gotham City, I plan on offer [...]

- mike@mountaingoatsoftware.com

It can sometimes be a challenge to get people to attend and then participate in sprint reviews. Here [...]

- Scott Hanselman

I love everything about PICO-8. It's a fantasy gaming console that wants you - and the kids in [...]

- Scott Hanselman

I've been a remote worker and an occasional YouTuber for well over a decade. I'm always lo [...]

- Scott Hanselman

I love me some text mode. ASCII, ANSI, VT100. Keep your 3D accelerated ray traced graphics and give [...]

- Scott Hanselman

Being able to seamlessly run Linux on Windows is making a bunch of common development tasks easier. [...]

- Scott Hanselman

I've been trying on and off to enjoy Ruby on Rails development on Windows for many years. I was [...]

Meta