Hi. We are using SQL Server 2005 64-bit on Windows Server 2003 R2 x64
Enterprise Edition. I have a really weird problem where I have people
out there who are placed in the db_owner, db_accessadmin, and
db_securityadmin roles in their database, and yet they are unable to
add new users to their databases, despite the fact that logins exist
for these users on the server. The reason is that when attempting to
add a new user in Management Studio, upon using the "Browse" option to
look at the logins, the complete list is not presented to them. In
fact, they only see a couple of logins or so (the server has hundreds
of logins). Also, if they try to type in the login name directly,
they get a "permission denied" error message. Since they cannot add
users to their databases, they have to call me and have me do it for
them.
I created a test, non-privileged, SQL-authenticated login to test
things for my own sake, and when logged in under the test account, I
saw the same behavior. I had db_owner role for a single test
database, and when I went to add users, the only server logins that
were displayed were my own (the test login in this case) and that of
sa. Further, when I queried the master.sys.syslogins view, I saw the
same thing, it only came back with the rows for myself and sa.
It appears that this is clearly a security problem, but I'm not sure
at what level to look. We never had this problem with SQL Server 2000
or earlier. Does anyone have any idea what I can do to allow my
db_owners to see all the server logins, and therefore be able to add
users to their databases as they see fit? I really do NOT want to
assign them to server-level security roles, for obvious reasons.
Thanks,
SkyGringo