Database security is one of the significant concerns for most DBAs. DBAs frequently restore or backup the database, this is a very common scenario, But the thing is after successfully restoring a new version of your database, you want to remove the current users. Probably you thought of just expanding the user node and deleting the desire user; in that sense you are somewhat correct. But if you face an error like:
Msg 15421, Level 16, State 1, Line 1
The database principal owns a database role and cannot be dropped.
What will you do?
Microsoft SQL Server provides quite a lot of ways to maintain the security of database. This article is not about the security of Microsoft SQL server.
In this article, I will try to explain how to resolve the following issues:
- The database principal owns a database role and cannot be dropped.
- The database principal owns a schema and cannot be dropped.
I try to categorize into two sections, section-A; we will discuss to find out the list of roles in which the user exists and the section-B; we will discuss how to resolve it.
In this section, our primary goal is to find out the list of existing roles of our target database. For this purpose, we use a simple transact-SQL with the help of SQL Server
SYS.DATABASE_PRINCIPALS table. A sample SQL script and the required step(s) are listed below:
- Open SQL Server Management Studio and login as an admin user.
- Select the database, set the user name & execute the following transact-SQL for getting the database role and user detail.
Sample SQL Script
SELECT DBPRINCIPAL_1.NAME AS ROLE, DBPRINCIPAL_1.NAME AS OWNER
FROM SYS.DATABASE_PRINCIPALS AS DBPRINCIPAL_1 INNER JOIN
SYS.DATABASE_PRINCIPALS AS DBPRINCIPAL_2
ON DBPRINCIPAL_1.PRINCIPAL_ID = DBPRINCIPAL_2.OWNING_PRINCIPAL_ID
WHERE (DBPRINCIPAL_1.NAME = 'User Name To Remove')
The above transact-SQL returns a list of roles in which the user exists.
More information on "
SYS.DATABASE_PRINCIPALS " table can be found at this link.
I think this is not a very intricate task, let’s start, your SQL Server Management Studio is open and you are logged in as an admin user i.e., “sa”.
From the section-A we already get the list, now the task is to remove the desired user. To do this, we need to follow the step(s) listed below:
- Now expand Databases node from object explorer.
- Select the target Database >>---> Security >>--> Roles >>--> Database Roles.
- Now double click the entries that were listed in the output of the above SQL command.
- Change the “Owner” to some temp username.
- If the username you want to delete appears in the dialog box, select and remove it from there too.
(Do this for all the Roles that came up in the above SQL query.)
- Navigate to Databases >>--> the target Database >>--> Security >>--> Schemas.
- Double-click to open “db_owner” and change the schema owner to dbo.
- Now go to: Databases >>--> Target Database >>--> Security >>--> Users.
- Right click the username you want to delete and click “Delete”, then click OK in the new dialog box that appears.
Note: You can also try the stored procedure
sp_dropuser after accomplishing the step(s) above except section-B step 4.
EXEC sp_dropuser 'User name'
I hope this might be helpful to you. Enjoy!
- 20th March, 2010: Initial post