Hello, I will be the first to admit I am no expert. Especially when it comes to security.
Tried to run
ALTER LOGIN [OurOldDomain\OurGroup] DISABLE;
and received the message Disable Login. failed for Login 'OurOldDomain\OurGroup'. (Microsoft.SqlServer.Smo) ------------------------------ ADDITIONAL INFORMATION: An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo) ------------------------------ Cannot alter the login 'OurOldDomain\OurGroup', because it does not exist or you do not have permission. (Microsoft SQL Server, Error: 15151)
Now I am a sysadmin. (I even checked that this morning.) So why can I not execute this? (I also tried through SSMS GUI). There are several groups I would like to disable as we changed to a new domain, but I cannot disable them.
You cannot use ALTER_LOGIN with the DISABLE argument to deny access to a Windows group. For example, ALTER_LOGIN [domain\group] DISABLE will return the following error message: "Msg 15151, Level 16, State 1, Line 1 "Cannot alter the login 'Domain\Group', because it does not exist or you do not have permission." This is by design.
Thank you. Oh, joy. So I leave a security hole until it is decided I can drop them.
This is actually not a problem as I was just trying to do house keeping while I had time. We have only been on the new domain for about a month and some accounts are still being used from the old domain. We are a small shop with so many high priority requests, we prioritize them. To that end we have "fire of the day".
