what AD groups logins my user belongs to?

what AD groups, from the list above, does my login belong to?

All you need to do is execute the following command:

EXEC xp_logininfo 'domain\useraccount','all';
GO

If the account does not have access via any group on that server, AND is a legit account in the domain, you will get no records returned. If the user is found to have permissions you can identify the group they have access from by checking the permission path. This will return the group domain\groupname that is giving the domain user access.


To answer your specific question the easiest way I've found to get a list of AD groups a user belongs to (from SQL Server) is to use sys.login_token or sys.user_token.

You will have to use the EXECUTE AS LOGIN = just like you did above but once you are impersonating the login you can query sys.login_token to get a list of groups the login belongs to. This includes any server level roles and all of the AD groups. There is a principal_id column that links to the sys.server_principals system view. It will be filled in for all of the server roles and for an AD groups that have an entry in sys.server_principals.

To get more database specific information you can go to the database you are interested in and use sys.user_token to get a list of roles/AD groups associated with that database. In this case principal_id is associated with sys.database_principals.


If i understood correctly you can get this done with help of xp_logininfo which returns information about Windows users and Windows groups.

Say by simply executing 

EXEC xp_logininfo 'mycompany\HThorne'

Else you can use below query which i have been using from my repository, not sure from where i got this , :), but still can be helpful:

;with ServerPermsAndRoles as
(
    select
        spr.name as principal_name,
        spr.type_desc as principal_type,
        spm.permission_name collate SQL_Latin1_General_CP1_CI_AS as security_entity,
        'permission' as security_type,
        spm.state_desc
    from sys.server_principals spr
    inner join sys.server_permissions spm
    on spr.principal_id = spm.grantee_principal_id
    where spr.type in ('s', 'u')

    union all

    select
        sp.name as principal_name,
        sp.type_desc as principal_type,
        spr.name as security_entity,
        'role membership' as security_type,
        null as state_desc
    from sys.server_principals sp
    inner join sys.server_role_members srm
    on sp.principal_id = srm.member_principal_id
    inner join sys.server_principals spr
    on srm.role_principal_id = spr.principal_id
    where sp.type in ('s', 'u')
)
select *
from ServerPermsAndRoles
order by principal_name

Tags:

Sql Server

Active Directory

Permissions

Sql Server 2008 R2

Sql Server 2014

Recent Posts