Skip to content

Copy-DbaLogin - Add safety check to prevent self-lockout when dropping Windows groups #9948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: development
Choose a base branch
from
Open

Copy-DbaLogin - Add safety check to prevent self-lockout when dropping Windows groups #9948

wants to merge 1 commit into from

Conversation

@potatoqualitee
Copy link
Member

@potatoqualitee potatoqualitee commented Nov 6, 2025

Summary

This PR addresses issue #8572 where using Copy-DbaLogin with -Force could lock administrators out of SQL Server instances when their access comes solely from AD groups.

Changes

  • Added intelligent safety check that detects potential self-lockout scenarios
  • Only activates for Windows groups with high privileges (sysadmin, securityadmin, or ALTER ANY LOGIN)
  • Uses xp_logininfo to verify group membership (minimal privilege requirements)
  • Provides clear warnings with actionable guidance when risk detected
  • Added regression test documenting the protection

Safety Check Logic

The protection activates only when:

  1. Login being dropped is a Windows group
  2. Current user has no direct SQL login (access via group only)
  3. Group has high privileges (sysadmin, securityadmin, or ALTER ANY LOGIN)
  4. Current user is a member of that group

Testing

  • Regression test added to verify SQL logins are not affected
  • Full AD group testing requires manual verification in domain environment

Fixes #8572

Generated with Claude Code

@github-actions @potatoqualitee
Copy-DbaLogin - Add safety check to prevent self-lockout when droppin…
93b22a9 
…g Windows groups

This change addresses issue #8572 where using Copy-DbaLogin with -Force
could lock administrators out of SQL Server instances when their access
comes solely from AD groups.

The safety check:
- Only applies to Windows groups (not individual logins)
- Only activates when current user has no direct login (access via group only)
- Only checks high-privilege groups (sysadmin, securityadmin, or ALTER ANY LOGIN)
- Uses xp_logininfo to enumerate group members (requires less privilege)
- Provides clear warning messages with actionable guidance
- Errs on the side of caution if group membership cannot be verified

(do Copy-DbaLogin)

Co-authored-by: Chrissy LeMaire <[email protected]>
@potatoqualitee
Copy link
Member Author

potatoqualitee commented Nov 7, 2025

@niphlod whatcha think? safety vs performance. claude tried to balance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Copy-DbaLogin may lead to unaccessable SQL instance

1 participant

@potatoqualitee