I am getting the following error
Cannot execute as the database principal because the principal "dbo"
does not exist, this type of principal cannot be impersonated,
or you do not have permission.
I read about ALTER AUTHORIZATION, but I have no idea what database this is happening in. This error is getting spit out very frequently, and grows the error log by about 1GB every day.
I resolved this issue by setting database owner. My database did not have had any owner before this issue. Execute this command in your database to set owner to sysadmin account:
use [YourDatabaseName] EXEC sp_changedbowner 'sa'
Do Graphically.
Database right click-->properties-->files-->select database owner-->select [sa]-- ok
USE [<dbname>]
GO
sp_changedbowner '<user>' -- you can use 'sa' as a quick fix in databases with SQL authentication
KB913423 - You cannot run a statement or a module that includes the EXECUTE AS clause after you restore a database in SQL Server 2005
After restoring a Database from SQL2016 to SQL2019, I had the same issue when I try to access Database Diagrams. I had the correct Database owner already but owner of Files was empty. Once I set that, it worked properly...
This may also happen when the database is a restore from a different SQL server or instance. In that case, the security principal 'dbo' in the database is not the same as the security principal on the SQL server on which the db was restored.
Don't ask me how I know this...
another way of doing it
ALTER AUTHORIZATION
ON DATABASE::[DatabaseName]
TO [A Suitable Login];
Selected answer and some others are all good. I just want give a more SQL pure explanation. It comes to same solution that there is no (valid) database owner.
Database owner account dbo which is mentioned in error is always created with database. So it seems strange that it doesn't exist but you can check with two selects (or one but let's keep it simple).
SELECT [name],[sid]
FROM [DB_NAME].[sys].[database_principals]
WHERE [name] = 'dbo'
which shows SID of dbo user in DB_NAME database and
SELECT [name],[sid]
FROM [sys].[syslogins]
to show all logins (and their SIDs) for this SQL server instance. Notice it didn't write any db_name prefix, that's because every database has same information in that view.
So in case of error above there will not be login with SID that is assigned to database dbo user.
As explained above that usually happens when restoring database from another computer (where database and dbo user were created by different login). And you can fix it by changing ownership to existing login.
Under Security, add the principal as a "SQL user without login", make it own the schema with the same name as the principal and then in Membership make it db_owner.
Also had this error when accidentally fed a database connection string to the readonly mirror - not the primary database in a HA setup.
As the message said, you should set permission as owner to your user. So you can use following:
ALTER AUTHORIZATION
ON DATABASE::[YourDBName]
TO [UserLogin];
Hope helpful!
Leave comment if it's ok for you.
In my case I got this error when trying to impersonate as another user. E.g.
EXEC AS USER = 'dbo';
And as the database was imported from another environment, some of its users did not match the SQL Server logins.
You can check if you have the same problem by running the (deprecated) sp_change_users_login (in "Report" mode), or use the following query:
select p.name,p.sid "sid in DB", (select serp.sid from sys.server_principals serp where serp.name = p.name) "sid in server"
from sys.database_principals p
where p.type in ('G','S','U')
and p.authentication_type = 1
and p.sid not in (select sid from sys.server_principals)
If in that list shows the user you are trying to impersonate, then you probably can fix it by assigning the DB user to the proper login in your server. For instance:
ALTER USER dbo WITH LOGIN = dbo;
Go to the Properties - Files.
The owner name must be blank. Just put "sa" in the user name and the issue will be resolved.
Related
I have searched up and down for a solution and cannot find anything that helps. Everything that I have tried doesnt seem to work.
I have two database. I cannot modify Database A by adding a table or anything like that. I cannot enable cross-database access. I believe I cant use sp.Start_job because I need to pass parameters. I was able to enable xp_cmdshell.
My Database Definition:
Database A
- Order table
Database B
- Email notification Table
What I need to do:
Any time an order is entered into Database A, I need to enter a row into Database B with values of the order. So I need to have parameters
What I have tried:
- xp_cmdshell #query='DTEXEC /f "\\Server\Folder\SSIS Packages\Order confirmations\Order confirmations\Package.dtsx" /DECRYPT password'
1. I get an error saying access denied. I tried setting up sp_xp_cmdshell_proxy_account (##xp_cmdshell_proxy_account##) to an account that has access to the network drive where the file is stored, no luck.
2. whoami.exe shows NT/Authority \System instead of my proxy account.
3. GRANT EXECUTE on xp_cmdshell to [mydomain\myAccount] didnt have any affect.
Whoami Results
xp_cmdshell Results
Any suggestions? The job runs fine if I set it up with SQL Server Agent. Eventually I will just call xp_cmdshell from a trigger on Database A table Orders to enter the data into Database B and then fire off an email with sp_send_dbmail if some conditions are met.
The only way that I could currently find (Without resturcturing permissions in SQL and the network was to give read/execute permission to SQL server. Not my ideal solution, but it works.
Hope this helps someone
I'm using SQL Server Express 2008 SP1 (10.0.2531) and would like to limit access for a SQL account to one database. I have the SQL account created. How do I grant this user access to the database but deny access to the others?
Thanks!
You create a USer.
1 - Using Security/logins. Add your user here (new login)
2 - User mapping
3 - users mapped to this login.
4- choose the DB that your user can access
If you create a user in the security/logins node with the server role of public only they will not, by default, have access to any database.
Secondly, under the security/users node of the database base add themas a new user and then set the roles as required.
Finally, returning to the security/logins node you may want to change the default database to the specific one they are a user for.
Hope that helps
I'm trying to set up a user in SQL Server 2008 R2 so when they login, they only see one database and so they only see views with 1 schema.
They should not be able to see that other databases exist, that any tables exist within the database that they can see, or any views that exist other than tables that belong to one schema.
How can I go about doing this?
Thank you in advance
Edit: some more information. I have managed to get a user to only see 1 database and no others in the past by denying view all databases and making the user the owner of the database. In this case the user can not be the owner of the database.
You can move the database to a new instance.
I have an issue with SQL replication that I am having trouble fixing. What I am doing is restoring two DBs from a production backup, and then installing replication between them. The replication seems to be configured without any errors, but when I look at the status I see error messages like this:
Error messages:
The process could not execute
'sp_replcmds' on 'MYSERVER1'. Get
help: http://help/MSSQL_REPL20011
Cannot execute as the database
principal because the principal "dbo"
does not exist, this type of principal
cannot be impersonated, or you do not
have permission. (Source: MSSQLServer,
Error number: 15517) Get help:
http://help/15517
The process could not execute 'sp_replcmds' on 'MYSERVER1'.
Get help: http://help/MSSQL_REPL22037
What does this mean?
When I had this problem, my database didn't have an owner set properly. I had restored a database from another windows domain, right clicked the database -> properties and verified in the "general" tab that the owner was set correctly. However, in the "files" tab, owner was not set at all. As soon as I set it, replication was running without problems.
'dbo' maps to a login that is invalid. If you run select suser_sname(owner_sid) from sys.databases, you probaly get NULL for those two DBs. You need to change 'dbo' to a valid login. Run, on both databases:
ALTER AUTHORIZATION ON DATABASE::[<dbname>] TO [sa]
The easiest way to correct the error is to use ALTER AUTHORIZATION on the databases which have the NULL login match for dbo.
I found that if you use article filters, you must use a unique filter name. Once I changed the filter name to be unique across all articles, it fixed this issue.
In our case the service account that the SQL instance was running on got locked. Once unlocked and we stopped/restarted the LogReader SQL agent jobs then things started flowing again.
In my SQL Server 2005 server I create databases and logins using Management Studio. My application requires that I give a newly created user read and write permissions to another database.
To do this I right-click the newly created login, select properties and go to User Mapping. I put a check beside the database to map this login to the db and select db_datareader and db_datawriter as the roles to map.
Can this be done programmatically? I've read about using Alter User and sp_change_users_login but I'm having problems getting these to work, since sp_change_users_login has been deprecated so I'd prefer to use Alter User.
Please note my understanding of SQL Server database users/logins/roles is basic
Logins are for the server instance. Users are at the database level. Roles are generally found at the database level but there are some fixed roles like sysadmin at the server instance level.
Go here for the grammar to create a user on a database.
Go here for the syntax for adding that user to a database role.
You are likely going to execute something like the following to accomplish all of this.
Create Login temp1 with Password = '123!##$FAF', Default_Database = test
GO
use test;
Create User user_blah1 from Login temp1
GO
use test;
Exec sp_addrolemember #rolename = 'db_datareader',
#membername = 'user_blah1'