Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SqlRole: User 'sa' is not allowed to be dropped from role sysadmin #550

Closed
Chiliyago opened this issue May 11, 2017 · 2 comments · Fixed by #1631
Closed

SqlRole: User 'sa' is not allowed to be dropped from role sysadmin #550

Chiliyago opened this issue May 11, 2017 · 2 comments · Fixed by #1631
Labels
enhancement The issue is an enhancement request.

Comments

@Chiliyago
Copy link

Details of the scenario you tried and the problem that is occurring:
I have the following 2 DSC Resource statements one works and the other does not. The first successfully adds the account to the securityadmin SQL role and the second fails to add the same account to the sysadmin SQL role.

`
The DSC configuration that is using the resource (as detailed as possible):

xSQLServerRole Set_securityadmin_Roles4_FarmSetup{

    Members = @($FarmSetupCredential.UserName)
    SQLServer = $SqlServerName
    SQLInstanceName = $SqlInstanceName
    ServerRoleName = "securityadmin"
    Ensure = "Present"
}
xSQLServerRole Set_sysadmin_Roles4_FarmSetup{

    Members = @($FarmSetupCredential.UserName)
    SQLServer = $SqlServerName
    SQLInstanceName = $SqlInstanceName
    ServerRoleName = "sysadmin"
    Ensure = "Present"
}

Error Message for Set_sysadmin_Roles4_FarmSetup

PowerShell DSC resource MSFT_xSQLServerRole  failed to execute Set-TargetResource functionality with error message: Failed to drop member sa to the 
server role named sysadmin on SP-SQL1\MSSQLSERVER. InnerException: Exception calling "DropMember" with "1" argument(s): "Drop member failed for 
ServerRole 'sysadmin'. " 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : SP-SQL1

Version of the Operating System, SQL Server and PowerShell the DSC Target Node is running:
I am using SQL 2016 on Windows Server 2012 R2

What module (SqlServer or SQLPS) and which version of the module the DSC Target Node is running:

xSQLServerRole v 7.0.0.0

Version of the DSC module you're using, or 'dev' if you're using current dev branch:
SQLServer 7.0.0.0
@johlju
Copy link
Member

johlju commented May 12, 2017

This is by design by SQL Server (it seems). When using parameter Members it will replace all members with those that is assigned to Members. For sysadmin role this does not work since SQL Server does not allow user 'sa' to be dropped.
Use parameter MembersToInclude to add the members you want, and still keep those already present in the role.

We could add a note to the resource description that this is the case.

@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels May 12, 2017
@johlju johlju changed the title xSQLServerRole fails for sysadmin xSQLServerRole: User 'sa' is not allowed to be dropped form role sysadmin May 12, 2017
@johlju johlju changed the title xSQLServerRole: User 'sa' is not allowed to be dropped form role sysadmin xSQLServerRole: User 'sa' is not allowed to be dropped from role sysadmin May 12, 2017
@johlju johlju changed the title xSQLServerRole: User 'sa' is not allowed to be dropped from role sysadmin SqlServerRole: User 'sa' is not allowed to be dropped from role sysadmin Dec 24, 2017
@SteveL-MSFT SteveL-MSFT added this to Help Wanted in powershell/dscresources May 14, 2019
@SteveL-MSFT SteveL-MSFT removed this from Help Wanted in powershell/dscresources Nov 27, 2019
@johlju johlju changed the title SqlServerRole: User 'sa' is not allowed to be dropped from role sysadmin SqlRole: User 'sa' is not allowed to be dropped from role sysadmin Jul 10, 2020
@Fiander
Copy link
Contributor

Fiander commented Oct 2, 2020

Working on this one.

@Fiander Fiander mentioned this issue Oct 6, 2020
Closed
9 tasks
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Oct 7, 2020
@Fiander Fiander mentioned this issue Nov 16, 2020
Merged
9 tasks
johlju pushed a commit that referenced this issue Nov 21, 2020
@Fiander
BREAKING CHANGE: SqlRole: Resource overhaul for tests (#1631)
c7146f9 
- SqlRole
  - Major overhaul of resource
  - BREAKING CHANGE: Removed decision making from get-TargetResource; this prevented a simple solution for
    issue #550. it now just tels if a role exists or not. And what members are in that 
    role. MembersToInclude and MembersToExclude now always return $null
  - Added sanitize function (Get-CorrectedMemberParameters) to make it so for the
    sysadmin role SA does not get altered (issue #550)
  - added lots of tests.
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Nov 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request.
Projects
None yet
Milestone
No milestone
3 participants
@Chiliyago @johlju @Fiander