Applies to: SQL Server
Returns information about Windows users and Windows groups.
xp_logininfo [ [ @acctname = ] 'account_name' ] [ , [ @option = ] 'all' | 'members' ] [ , [ @privilege = ] 'variable_name' OUTPUT ]
[ @acctname = ] '@acctname'
The name of a Windows user or group granted access to SQL Server. @acctname is sysname, with a default of
NULL. If @acctname isn't specified, all Windows groups and Windows users that have been explicitly granted login permission are reported. @acctname must be fully qualified. For example,
[ @option = ] 'all' | 'members' ]
Specifies whether to report information about all permission paths for the account, or to report information about the members of the Windows group. @option is varchar(10), with a default of
all is specified, only the first permission path is displayed.
[ @privilege = ] 'variable_name' OUTPUT ]
An output parameter that returns the privilege level of the specified Windows account. @privilege is varchar(10), with a default of
'Not wanted'. The privilege level returned is user, admin, or null.
OUTPUT is specified, this option puts @privilege in the output parameter.
Return code values
0 (success) or
|Column name||Data type||Description|
|account name||sysname||Fully qualified Windows account name.|
|type||char(8)||Type of Windows account. Valid values are
|privilege||char(9)||Access privilege for SQL Server. Valid values are
|mapped login name||sysname||For user accounts that have user privilege, mapped login name shows the mapped login name that SQL Server tries to use when logging in with this account by using the mapped rules with the domain name added before it.|
|permission path||sysname||Group membership that allowed the account access.|
If @acctname is specified,
xp_logininfo reports the highest privilege level of the specified Windows user or group. If a Windows user has access as both a system administrator and as a domain user, it's reported as a system administrator. If the user is a member of multiple Windows groups of equal privilege level, only the group that was first granted access to SQL Server is reported.
If @acctname is a valid Windows user or group that isn't associated with a SQL Server login, an empty result set is returned. If @acctname can't be identified as a valid Windows user or group, an error message is returned.
If @acctname and
all are specified, all permission paths for the Windows user or group are returned. If @acctname is a member of multiple groups, all of which have been granted access to SQL Server, multiple rows are returned. The
admin privilege rows are returned before the
user privilege rows, and within a privilege level, rows are returned in the order in which the corresponding SQL Server logins were created.
If @acctname and
members are specified, a list of the next-level members of the group is returned. If @acctname is a local group, the listing can include local users, domain users, and groups. If @acctname is a domain account, the list is made up of domain users. SQL Server must connect to the domain controller to retrieve group membership information. If the server can't contact the domain controller, no information is returned.
xp_logininfo only returns information from Active Directory global groups, not universal groups.
Requires membership in the sysadmin fixed server role or membership in the public fixed database role in the
master database with EXECUTE permission granted.
The following example displays information about the
BUILTIN\Administrators Windows group.
EXEC xp_logininfo 'BUILTIN\Administrators';