This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 76%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
I have a production server, SQLServer1, with a database Database1.
On the SQLServer1has an AD group, Contoso\ADGroup1.
Contoso\ADGroup1 is disabled on SQLServer1.
In Database1, Contoso\ADGroup1 has the database role of db_datareader and a custom database role of db_executeSP (this allows the execution of stored procedures AND view the definition).
I have a non-production server, SQLServer2. Database1 is often restored on SQLServer2
On the SQLServer2 has the Contoso\ADGroup1.
Contoso\ADGroup1 is enabled on SQLServer1.
Within SSMS, I can look at the properties of Contoso\ADGroup1 and see that it has permissions to Database1 and database roles of db_datareader and sp_executeSP.
When Contoso\User1, who is in the Contoso\ADGroup1, tries to look at tables or stored procedures on SQLServer2.Database1 they are not presented in SSMS.
I can open the properties of Contoso\User1, uncheck the Database1, save, open properties to Contoso\User1 and check Database1 and add roles db_datareader and sp_executeSP. It works fine.
Does anyone know why the disconnect after the restore? These are NOT SQL accounts with SIDs, they are AD groups and AD accounts... should be seamless unless.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi JohnsonMichael-4593,
How are things going on?
Did the answer help you?
Please feel free to let us know if you have any other question.
If you find any post in the thread is helpful, you could kindly accept it as answer.
Best Regards,
Amelia
To start somewhere, do this on the production box:
EXECUTE AS USER = 'Contoso\User1'
go
SELECT * FROM sys.tables
go
REVERT
What come closest at hand is that there is DENY in the mix. If you drop the user from the database and add it back, that DENY will no longer be there.