Monday, February 20, 2012

Orphaned Users - Spreading

Came into work this morning and found several database on different servers
had orphaned DBO users.
We can fix using sp_changedbowner, but I'm more concerned with HOW this is
happening.
We have serveral database servers, and over 100 databases.
Scripting a solution per server isnt a problem - but I dont want to find out
some virus-type script is running through the servers.
Has anyone else had any similar issues ?
There are no database restores bring carried out - these are mainly stable
working production servers.
There only two boxes (a development and production box) that has so far
escaped any issues.
Machines that are not in the domain are also being effected.
All machines run on non-standard ports (not 1433) - but most servers can see
each other (for replication etc).
The main account to be orphaned at the moment is the DBO one, but there have
been another couple without consistancy..
Any help/comments appreciated
TIA
JonathanA likely cause is that the databases were owned by Windows accounts that
were removed. This will cause the database owner SID to be invalid.
Hope this helps.
Dan Guzman
SQL Server MVP
"Jonathan Christie" <jonathan.christie@.ed-coll.ac.uk> wrote in message
news:%23wEVcxXbEHA.3476@.tk2msftngp13.phx.gbl...
> Came into work this morning and found several database on different
servers
> had orphaned DBO users.
> We can fix using sp_changedbowner, but I'm more concerned with HOW this is
> happening.
> We have serveral database servers, and over 100 databases.
> Scripting a solution per server isnt a problem - but I dont want to find
out
> some virus-type script is running through the servers.
> Has anyone else had any similar issues ?
> There are no database restores bring carried out - these are mainly stable
> working production servers.
> There only two boxes (a development and production box) that has so far
> escaped any issues.
> Machines that are not in the domain are also being effected.
> All machines run on non-standard ports (not 1433) - but most servers can
see
> each other (for replication etc).
> The main account to be orphaned at the moment is the DBO one, but there
have
> been another couple without consistancy..
> Any help/comments appreciated
> TIA
> Jonathan
>|||Hi Dan
I agree - and I would spot these ones.
However, these are all the dbo users /sa logins
All maintained/created under my own account - which hasn't been removed ;)
It is a bit worrying that it has spread over the last few days - almost
virus like.
Thanks anyway
J
"Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message
news:%23kYRzPZbEHA.1292@.TK2MSFTNGP11.phx.gbl...
> A likely cause is that the databases were owned by Windows accounts that
> were removed. This will cause the database owner SID to be invalid.
> --
> Hope this helps.
> Dan Guzman
> SQL Server MVP
> "Jonathan Christie" <jonathan.christie@.ed-coll.ac.uk> wrote in message
> news:%23wEVcxXbEHA.3476@.tk2msftngp13.phx.gbl...
> servers
is[vbcol=seagreen]
> out
stable[vbcol=seagreen]
> see
> have
>|||Was there a restore done over the weekend?
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||> However, these are all the dbo users /sa logins
I'm not sure what you mean by this. You may experience problems with the
'dbo' user in the following cases.
1) The sid in sysdatabases doesn't match the 'dbo' user sid in sysusers.
These should be the same.
2) The sid in sysdatabases (or sysusers) is invalid (SUSER_SNAME(sid)
returns NULL).
A restore can cause #1 and perhaps #2 and is probably why Kevin mentioned
this in his response. Deleting the owner's account can cause #2.
sp_changedbowner can fix the problem in either case.

> It is a bit worrying that it has spread over the last few days - almost
> virus like.
I'm not aware of any malicious code that deliberately orphans database
owners. This seems like a strange thing to do since code that exploits a
vulnerability that allows system tables to be hacked would presumably do a
lot more.
Hope this helps.
Dan Guzman
SQL Server MVP
"Jonathan Christie" <jonathan.christie@.ed-coll.ac.uk> wrote in message
news:Okmt1ZZbEHA.1656@.TK2MSFTNGP09.phx.gbl...
> Hi Dan
> I agree - and I would spot these ones.
> However, these are all the dbo users /sa logins
> All maintained/created under my own account - which hasn't been removed ;)
> It is a bit worrying that it has spread over the last few days - almost
> virus like.
> Thanks anyway
> J
>
>
> "Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message
> news:%23kYRzPZbEHA.1292@.TK2MSFTNGP11.phx.gbl...
this[vbcol=seagreen]
> is
find[vbcol=seagreen]
> stable
far[vbcol=seagreen]
can[vbcol=seagreen]
there[vbcol=seagreen]
>

No comments:

Post a Comment