SQLTeam.com | Weblogs | Forums

Unable to disable group

sql2008r2

#1

Hello, I will be the first to admit I am no expert. Especially when it comes to security.

Tried to run

ALTER LOGIN [OurOldDomain\OurGroup] DISABLE;

and received the message
Disable Login. failed for Login 'OurOldDomain\OurGroup'. (Microsoft.SqlServer.Smo)
------------------------------
ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------
Cannot alter the login 'OurOldDomain\OurGroup', because it does not exist or you do not have permission. (Microsoft SQL Server, Error: 15151)

Now I am a sysadmin. (I even checked that this morning.) So why can I not execute this? (I also tried through SSMS GUI). There are several groups I would like to disable as we changed to a new domain, but I cannot disable them.


#2

Looks like that is a "feature" See here

You cannot use ALTER_LOGIN with the DISABLE argument to deny access to a Windows group. For example, ALTER_LOGIN [domain\group] DISABLE will return the following error message:
"Msg 15151, Level 16, State 1, Line 1
"Cannot alter the login 'Domain\Group', because it does not exist or you do not have permission."
This is by design.


#3

Thank you. Oh, joy. So I leave a security hole until it is decided I can drop them. :grin:

This is actually not a problem as I was just trying to do house keeping while I had time. We have only been on the new domain for about a month and some accounts are still being used from the old domain. We are a small shop with so many high priority requests, we prioritize them. To that end we have "fire of the day".


#4

You could try DENYing that login CONNECT permission. That would greatly reduce what it could do on its own.