How to transfer logins and passwords between instance of sql server

Transfer sql server login from one source server to target server

sp_help_serverlogin is a stored procedure which helps to transfer logins and passwords from one instance of a server to another instance of the server.

Why and when to use sp_help_serverlogin?

When we move the databases from one environment to another environment i.e. take a backup from source instance ABC on server P and restoring those databases on the new instance, let’s say XYZ on server Q, target server.

In such cases, we also need existing logins on the new server for getting access to databases. We can script out login from instance ABC and execute the script to new instance XYZ one by one manually. For a few logins, we can use this method, which is a bit time consuming and practically not possible if you have a lot of logins.

Also, if it’s Windows authentication login, then you can directly create logins on new instance XYZ, as the passwords will be maintained by windows, rather than the SQL server.

If it’s the SQL Server authentication login, the passwords will be stored by the SQL server. In such cases, if you will script out the login and execute it, then it would not include the passwords which are set for logins. (Note — Script out creates some basic random password for security reasons).

SQL Logins created using script out will throw an error when you try to login using SQL authentication. Error:

Login failed for user ‘s-test’ (Microsoft SQL Server, Error:18456)

Now comes the server_login in the picture. This stored procedure will help to replicate the login with the original password to the new instance without you knowing the original password for SQL logins.

Steps for using sp_help_serverlogin:

Step 1: 

Log in to Server P, open SSMS (SQL Server Management Studio) and connect to an existing instance (in our case its instance ABC).

Step 2: 

Open New Query window, and then run the below script:

USE master
GO
IF OBJECT_ID ('sp_hexadecimal') IS NOT NULL
DROP PROCEDURE sp_hexadecimal
GO
CREATE PROCEDURE sp_hexadecimal
@binvalue varbinary(256),
@hexvalue varchar (514) OUTPUT
AS
DECLARE @charvalue varchar (514)
DECLARE @i int
DECLARE @length int
DECLARE @hexstring char(16)
SELECT @charvalue = '0x'
SELECT @i = 1
SELECT @length = DATALENGTH (@binvalue)
SELECT @hexstring = '0123456789ABCDEF'
WHILE (@i <= @length)
BEGIN
DECLARE @tempint int
DECLARE @firstint int
DECLARE @secondint int
SELECT @tempint = CONVERT(int, SUBSTRING(@binvalue,@i,1))
SELECT @firstint = FLOOR(@tempint/16)
SELECT @secondint = @tempint - (@firstint*16)
SELECT @charvalue = @charvalue +
SUBSTRING(@hexstring, @firstint+1, 1) +
SUBSTRING(@hexstring, @secondint+1, 1)
SELECT @i = @i + 1
END
SELECT @hexvalue = @charvalue
GO
IF OBJECT_ID ('sp_help_serverlogin') IS NOT NULL
DROP PROCEDURE sp_help_serverlogin
GO
CREATE PROCEDURE sp_help_serverlogin @login_name sysname = NULL AS
DECLARE @name sysname
DECLARE @type varchar (1)
DECLARE @hasaccess int
DECLARE @denylogin int
DECLARE @is_disabled int
DECLARE @PWD_varbinary varbinary (256)
DECLARE @PWD_string varchar (514)
DECLARE @SID_varbinary varbinary (85)
DECLARE @SID_string varchar (514)
DECLARE @tmpstr varchar (1024)
DECLARE @is_policy_checked varchar (3)
DECLARE @is_expiration_checked varchar (3)
DECLARE @defaultdb sysname
IF (@login_name IS NULL)
DECLARE login_curs CURSOR FOR
SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM
sys.server_principals p LEFT JOIN sys.syslogins l
ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name <> 'sa'
ELSE
DECLARE login_curs CURSOR FOR
SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM
sys.server_principals p LEFT JOIN sys.syslogins l
ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name = @login_name
OPEN login_curs
FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
IF (@@fetch_status = -1)
BEGIN
PRINT 'No login(s) found.'
CLOSE login_curs
DEALLOCATE login_curs
RETURN -1
END
SET @tmpstr = '/* sp_help_serverlogin script '
PRINT @tmpstr
SET @tmpstr = '** Generated ' + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'
PRINT @tmpstr
PRINT ''
WHILE (@@fetch_status <> -1)
BEGIN
IF (@@fetch_status <> -2)
BEGIN
PRINT ''
SET @tmpstr = '-- Login: ' + @name
PRINT @tmpstr
IF (@type IN ( 'G', 'U'))
BEGIN -- NT authenticated account/group
SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' FROM WINDOWS WITH DEFAULT_DATABASE = [' + @defaultdb + ']' END ELSE BEGIN -- SQL Server authentication -- obtain password and sid SET @PWD_varbinary = CAST( LOGINPROPERTY( @name, 'PasswordHash' ) AS varbinary (256) ) EXEC sp_hexadecimal @PWD_varbinary, @PWD_string OUT EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT -- obtain password policy state SELECT @is_policy_checked = CASE is_policy_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name SELECT @is_expiration_checked = CASE is_expiration_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' WITH PASSWORD = ' + @PWD_string + ' HASHED, SID = ' + @SID_string + ', DEFAULT_DATABASE = [' + @defaultdb + ']' IF ( @is_policy_checked IS NOT NULL ) BEGIN SET @tmpstr = @tmpstr + ', CHECK_POLICY = ' + @is_policy_checked END IF ( @is_expiration_checked IS NOT NULL ) BEGIN SET @tmpstr = @tmpstr + ', CHECK_EXPIRATION = ' + @is_expiration_checked END END IF (@denylogin = 1) BEGIN -- login is denied access SET @tmpstr = @tmpstr + '; DENY CONNECT SQL TO ' + QUOTENAME( @name ) END ELSE IF (@hasaccess = 0) BEGIN -- login exists but does not have access SET @tmpstr = @tmpstr + '; REVOKE CONNECT SQL TO ' + QUOTENAME( @name ) END IF (@is_disabled = 1) BEGIN -- login is disabled SET @tmpstr = @tmpstr + '; ALTER LOGIN ' + QUOTENAME( @name ) + ' DISABLE' END PRINT @tmpstr
END
FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
END
CLOSE login_curs
DEALLOCATE login_curs
RETURN 0
GO

The script will be successfully executed.

Step 3: 

The script executed in Step 2 will create two stored procedures in the master database.

The created stored procedure is as below:

sp_hexadecimal      &      sp_help_serverlogin

Now, Run the query in the new query window.

EXEC sp_help_serverlogin

This above query will create some output scripts. These output scripts are nothing but a login script. This login script consists of logins, the original password, and original security identifier (SID).

Step 4: Now login to Target Server, open SSMS (SQL Server Management Studio) and connect to the instance where we need to transfer (replicate) these logins.

This is the server instance, where we restored databases for which we are transferring the logins.

Step 5: Open new Query window on target instance, copy the output script (generated on Source instance ABC after the execution of step 3).

Execute the script and it will create the logins with original passwords and correct SID.

In Step no — 3, we have seen 2 stored procedures are created namely — sp_hexadecimal and sp_help_serverlogin. Let us get in detail here.

sp_help_serverlogin produces the code which will recreate login with the original SID, while sp_hexadecimal is used to translate the password using a password hashing algorithm which is created in text format to be used in the script.

Conclusion: With help of the server_login stored procedure we can easily transfer the logins with their original password into the target instance of SQL Server. These steps mentioned above will make your work easy.

Leave a Reply

Your email address will not be published. Required fields are marked *