Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I store windows userid in database?

Currently I am storing windows account of a user as nvarchar(10) in sql server, is this the correct way to store userids? What should be the data type? or should I even store userids?

like image 801
HOY Avatar asked Jun 18 '12 10:06

HOY


People also ask

How do I add a user to a Windows database?

Add the user in SQL ServerIn Object Explorer, expand the SQL Server, expand Security, right-click Logins, and then select New Login. For the Login name, enter the Windows user name in the domain\username format.

What account should SQL Server run under?

Avoid running SQL Server Agent as the Local System account. For improved security, use a Windows domain account with the permissions listed in the following section, "Windows Domain Account Permissions."


2 Answers

Windows NT user identities are known as SID, a security-identifier. It's string representation is specified in SID String Format Syntax and the marshal representation is specified in SID--Packet Representation. If you want to store a SID in the database, use the same representation as the sys.databases.owner_sid field: varbinary(85). To retrieve a login SID use SUSER_SID (which also returns... varbinary(85)).

Specifically do not store identities as login names (domain\user or user@domain) since these change way more frequently than you expect, specially in large corporations. Mine changed about 5 times in 10 years.

like image 78
Remus Rusanu Avatar answered Sep 30 '22 11:09

Remus Rusanu


THis is a very complex question.

Technically do NOT store the name. store the ID, which incidentally is a GUID by type anyway.

That means you are safe when you for example rename the account and that is what WINDOWS Does. Ever seen when you open rights on a file it takes a second to show the names? And shows a number first? That is because windows takes a little to get the names from the domain controller.

SIMPLE is to store the account name, but it means you are "dead" on a rename, which should be quite rate, otoh. I think most solutions go for that ;)

like image 23
TomTom Avatar answered Sep 30 '22 13:09

TomTom