I recently promoted a database from a SQL 2008 R2 development server into a SQL 2014 production server, keeping compatibility for the database as 2008R2.I also created the user AD group login with read/write access only using datareader/writer. The database was restored as a non contained database, so required both instance and database logins/users to be linked for access to be obtained, as per the norm.A user came down today to say that he has been able to create a new view in production, when he thought he shouldn't be allowed to.I carried out an investigation and found that an admin AD group was still defined within the database itself and was a member of dbowner for this particular database (a hang over from development!), however there was no associated login within the sys.syslogins view in master?!?So, my question is, how can what is effectively an orphaned user in a new environment still gain access to the database and carry out operations as the dbowner?Is this a "feature" in 2014 that I missed, or is there a more simple explanation?I have now removed the orphaned user in the database and removed it membership of the dbowner role for that database, so all is well... but just wanted to find out how this happened?Thanks a lot in advance...Haden
↧