Issue with CREATE LOGIN

Question

Issue with CREATE LOGIN

MuditGupta 20

I have an issue with permission required for CREATE LOGIN .

I create a login, grant it securitylevel server role, db_securityadmin on master DB. Let's call it LoginA

LoginA is able to create new logins on the server ( ServerL)

But on other server ( ServerP), LoginA cannot create new logins. It can only create when I grant it db_onwer on master DB.

Both servers have same build. 15.0.4261.1

Only difference is ServerP & ServerL are in different domains. ServerP is in prod domain, ServerL is in lower domain.

What could be reason for this issue ?

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Erland Sommarskog 134.7K MVP Volunteer Moderator

First, db_securityadmin is a database role, and not a server role, so membership in that role cannot give you rights to create logins. And same goes for db_owner. And you cannot add a login to db_owner, for that you need a database user.

Here is an example of what you should do:

USE master
go
CREATE LOGIN lakritstomte WITH PASSWORD = 'sdgsdfhdfharfhn'
go
ALTER SERVER ROLE securityadmin ADD MEMBER lakritstomte
go
EXECUTE AS LOGIN = 'lakritstomte'
go
CREATE LOGIN extralogin WITH PASSWORD = 'sfdgsdhfearhaerh'
go
REVERT
go
IF suser_id('extralogin') IS NOT NULL
   DROP LOGIN extralogin
go
DROP LOGIN lakritstomte

Note that this uses the server role securityadmin.

On the other hand, adding a user to db_owner, is not sufficient to create logins:

USE master
go
CREATE LOGIN lakritstomte WITH PASSWORD = 'sdgsdfhdfharfhn'
go
CREATE USER lakritstomte
ALTER ROLE db_owner ADD MEMBER lakritstomte
go
EXECUTE AS LOGIN = 'lakritstomte'
go
CREATE LOGIN extralogin WITH PASSWORD = 'sfdgsdhfearhaerh'
go
REVERT
go
IF suser_id('extralogin') IS NOT NULL
   DROP LOGIN extralogin
go
DROP USER lakritstomte
DROP LOGIN lakritstomte

MuditGupta 20 Reputation points

2023-03-31T01:42:57.7+00:00

Thanks @Erland Sommarskog !

Thanks for pointing me in correct direction.

Your script helped me in finding the root of the problem. I have a trigger on server to record all Create login statements. By granting db__datawriter to master db ( trigger records events in this database_), I am able to create logins.

I was using GUI to do this, and it was not showing full error message. When I used the script, it showed me trigger name in the error message.

Thanks!
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2023-03-31T06:31:14.5966667+00:00

You could avoid this by adding EXECUTE AS LOGIN = 'somelogin' to the trigger. This login would have the required permission to write to the audit table. Note that when you use EXECUTE AS, SYSTEM_USER and similar functions will return the impersonated login. Use original_login() to get the actual user.

Share via

Issue with CREATE LOGIN

0 additional answers

Your answer