|
|
Posted by Erland Sommarskog on 05/08/07 22:16
Larry Bertolini (bertolini.1@osu.edu) writes:
> Have created a login, that has fixed server role "securityadmin".
> The login can create/drop logins, add/remove them as users in
> databases, etc.
>
> The login can change another login's password, using SQL
> from a query window (e.g. alter login bob with password='abc')
>
> However, the login *cannot* change another login's password,
> using SSMS GUI (e.g. "Security", "Logins", double-click "Bob",
> change password, say "OK"). The error text is:
>
> Change password failed for Login 'Bob'. (Microsoft.SqlServer.Smo)
A great thing with Mgmt Studio is that you can always script actions.
Press the Script button, and you can get a query window with the
T-SQL command that Mgmt Studio would generate if you were to press OK.
In this case you will see that the generated command includes the
OLD_PASSWORD clause. And if you supply the correct old password
for the user, it works.
I'm a little puzzled, because Books Online says:
If the login is a member of the sysadmin fixed server role or a grantee
of CONTROL SERVER permission, also requires CONTROL SERVER permission
when making the following changes:
o Resetting the password without supplying the old password.
But very apparently ALTER ANY LOGIN (which is what securityadmin maps to)
is sufficient to change the password.
So it seems that Books Online is wrong, but the Tools group were naïve
enough to believe it.
--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
Navigation:
[Reply to this message]
|