This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hi!
After importing a database backup from MS SQL Server 2012 into MS SQL Server 2019 I quickly found out I was not able to login into it anymore.
In SSMS there is an appropriate entry (an AD user group) under Databases -> [database name] -> Security -> Users, and up till now this sufficed to be able to login.
However, it now seems necessary to also add an entry to Security -> Logins, and then map this entity to the database user. Anyway, that was the only way I could make it work.
So, I'm wondering:
Thank you for your time!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 2%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESX%3C/text%3E%3C/svg%3E)
Hi @kvdb ,
We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.
Best regards,
Seeya
Tom has already answered the important points. I just like to cover the last question:
If the answer to question 1 is yes, then what is the use of being able to add a database user / group from a domain?
Keep in mind that a user can have access to the instance from one or more AD groups. But then the user or an AD group may need specific permissions in a database, and therefore you may need to add the user on this level, although the user has no login of its own.
Thanks for your explanation!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Yes, unless your login is a sysadmin, you must map a server "login" to a database "user".
This has not changed in SQL 2019. This has always been a requirement for non-sysadmin users.
The user information is stored in the database. Therefore, when you remove or restore a database, that information is lost and must be recreated.
Thanks for your answer!
You mentioned that the 'user information is stored in the database' and also that this has not changed after SQL 2012? Do you you mean by this that a user mapping should be present in the original Security -> Logins view in SSMS for SQL Server 2012? That is not the case, but login just works! Or is this data somehow 'hidden' in SSMS 2012 and should I look elsewhere for it?
It's not that I don't see the logic or that I absolutely refuse to make these mappings :), but I just wonder why they didn't seem necessary before.
You mentioned that the 'user information is stored in the database' and also that this has not changed after SQL 2012?
There is no difference between SQL 2012 and SQL 2019 how the user mapping is stored. Possibly, there are differences between SSMS 2012 and SSMS 18.10 displays the information, but I would not expect so. However, I can't vouch for it, because I never look in SSMS for this kind of thing. I look in sys.database_principals directly. Or I may do:
EXECUTE AS USER = 'DOMAIN\User'
go
SELECT * FROM sys.user_token
go
REVERT
To see which tokens that are associated with the user. The access may come from a group the user is member of.
As I discussed, given that users can belong to roles and AD groups, it can be quite complex to derive how a certain user has access.
Thanks again! It is indeed complicated. I'm comparing the contents of sys.database_principals from both the original 2012 database with the new 2019 database. They seem rather alike, but I'm going to have a better look.
Since you restored the database from one instance to another, I would expect the contents to be the same, and if you want to compare differences, you also need to look at sys.server_principals who hold the logins on server level.
Also, observe that the mapping between sys.server_principals and sys.database_principals is on the SID column, not the name! For a Windows login, they should be the same on the two servers. For an SQL login they are only the same, if you actively have set them up that way.
The contents of both instances of sys.database_principals are a perfect match (fortunately only 27 records). This seems logical as well, because the SQL 2019 database is an import of a .bak file of the 2012 database.
So if sys.database_principals contains the user mappping [user_name] -> [sid], then login should have worked right away, right?
But keep in mind that sys.server_principals is likely to be different. That data lives in the master database, and not part of the backup you copied.
Do you mean that the data in sys.server_principals should include / reflect what is listed under Security -> Logins?
I checked out the instances of sys.server_principals of the SQL 2012 and SQL 2019 servers. I did not find in the 2012 instance any login mapped to a database user that was not mapped already. So, the logins that supposedly are mapped to some database users (with external access) are still unaccounted for.
Is there a way to find out which login is mapped to a database user, other than looking at Security -> Logins or sys.server_principals?
Thanks again for your time, much appreciated!
Hi @kvdb ,
Welcome to Microsoft Q&A!
Yes. Agree with Tom.
I also want to add the third point:
https://www.sqlshack.com/sql-server-logins-users-security-identifiers-sids/
Best regards,
Seeya
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the background info!
Do you mean that the data in sys.server_principals should include / reflect what is listed under Security -> Logins?
Rather the other way round. What you see in Security -> Logins should come from sys.server_principals.
Is there a way to find out which login is mapped to a database user, other than looking at Security -> Logins or sys.server_principals?
Run this in your database. Add columns as needed:
SELECT sp.name AS LoginName, sp.principal_id AS Server_principal_id, sp.SID, sp.type_desc AS login_type,
dp.name AS UserName, dp.principal_id AS Database_principal_id, dp.type_desc AS user_type
FROM sys.server_principals sp
FULL JOIN sys.database_principals dp ON dp.sid = sp.sid
NULLS to the left -> Only in database. NULLS to the right -> only in server.
Thanks! I executed this on both the 2012 en 2019 databases.
The output merely confirms what I mentioned in my OP and my comparison of sys.database_principals and sys.server_principals : None of the database users which are domain users have been mapped to a login (NULL's to the left). These users can login into the 2012 database, but not into the 2019 database.
So, in order to make login into the 2019 database possible, a mapping with a login is necessary. For this I used a domain group which includes all domain users that are database users and for which I set minimal permissions. This way users with different database permissions have the appropriate access.
It remains a mystery to me why login into the 2012 database worked without user mapping...
And the set of rows are the same in sys.server_principals on both instances?
By the way, what does the column authentication_type_desc in sys.server_principals say for these users?
Yes, you can ignore the ## names.
Yes, I meant sys.database_principals, but I think my question was flawed anyway. By chance, is this a partially contained database? You would see this in the containment_desc column in sys.databases.