sql server - create a login

9 out of 15 rated this helpful - Rate this topic

Background

Note

Security

Using SQL Server Management Studio

Create a Login

This topic describes how to create a login in SQL Server 2012 by using SQL Server ManagementStudio or Transact-SQL. A login is the identity of the person or process that is connecting to aninstance of SQL Server.

In This Topic

Before you begin:

Background

Security

To create a login, using:

SQL Server Management Studio

Transact-SQL

Follow Up: Steps to take after you create a login

A login is a security principal, or an entity that can be authenticated by a secure system. Usersneed a login to connect to SQL Server. You can create a login based on a Windows principal (suchas a domain user or a Windows domain group) or you can create a login that is not based on aWindows principal (such as an SQL Server login).

As a security principal, permissions can be granted to logins. The scope of a login is the wholeDatabase Engine. To connect to a specific database on the instance of SQL Server, a login must bemapped to a database user. Permissions inside the database are granted and denied to the databaseuser, not the login. Permissions that have the scope of the whole instance of SQL Server (forexample, the CREATE ENDPOINT permission) can be granted to a login.

Permissions

Requires ALTER ANY LOGIN or ALTER LOGIN permission on the server.

[Top]

To create a SQL Server login

In Object Explorer, expand the folder of the server instance in which you want to create thenew login.

1.

Right-click the Security folder, point to New, and select Login….2.

To use SQL Server Authentication, the Database Engine must use mixed mode authentication.For more information, see Choose an Authentication Mode.

Create a Login http://msdn.microsoft.com/en-us/library/aa337562.aspx

1 of 7 5/29/2012 11:56 AM

In the Login – New dialog box, on the General page, enter the name of a user in the Loginname box. Alternately, click Search… to open the Select User or Group dialog box.

If you click Search…:

Under Select this object type, click Object Types… to open the Object Types dialogbox and select any or all of the following: Built-in security principals, Groups, andUsers. Built-in security principals and Users are selected by default. When finished,click OK.

a.

Under From this location, click Locations… to open the Locations dialog box andselect one of the available server locations. When finished, click OK.

b.

Under Enter the object name to select (examples), enter the user or group namethat you want to find. For more information, see Select Users, Computers, or GroupsDialog Box.

c.

Click Advanced… for more advanced search options. For more information, see SelectUsers, Computers, or Groups Dialog Box - Advanced Page.

d.

Click OK.e.

3.

To create a login based on a Windows principal, select Windows authentication. This is thedefault selection.

4.

To create a login that is saved on a SQL Server database, select SQL Server authentication.

In the Password box, enter a password for the new user. Enter that password againinto the Confirm Password box.

a.

When changing an existing password, select Specify old password, and then type theold password in the Old password box.

b.

To enforce password policy options for complexity and enforcement, select Enforcepassword policy. For more information, see Password Policy. This is a default optionwhen SQL Server authentication is selected.

c.

To enforce password policy options for expiration, select Enforce passwordexpiration. Enforce password policy must be selected to enable this checkbox. Thisis a default option when SQL Server authentication is selected.

d.

To force the user to create a new password after the first time the login is used, selectUser must change password at next login. Enforce password expiration must beselected to enable this checkbox. This is a default option when SQL Serverauthentication is selected.

e.

5.

To associate the login with a stand-alone security certificate, select Mapped to certificateand then select the name of an existing certificate from the list.

6.

To associate the login with a stand-alone asymmetric key, select Mapped to asymmetrickey to, and then select the name of an existing key from the list.

7.

To associate the login with a security credential, select the Mapped to Credential check box,and then either select an existing credential from the list or click Add to create a newcredential. To remove a mapping to a security credential from the login, select the credentialfrom Mapped Credentials and click Remove. For more information about credentials ingeneral, see Credentials (Database Engine).

8.

From the Default database list, select a default database for the login. Master is the default9.


2 of 7 5/29/2012 11:56 AM

for this option.

From the Default language list, select a default language for the login.10.

Click OK.11.

Additional Options

The Login – New dialog box also offers options on four additional pages: Server Roles, UserMapping, Securables, and Status.

Server Roles

The Server Roles page lists all possible roles that can be assigned to the new login. The followingoptions are available:

bulkadmin check box

Members of the bulkadmin fixed server role can run the BULK INSERT statement.

dbcreator check box

Members of the dbcreator fixed server role can create, alter, drop, and restore any database.

diskadmin check box

Members of the diskadmin fixed server role can manage disk files.

processadmin check box

Members of the processadmin fixed server role can terminate processes running in aninstance of the Database Engine.

public check box

All SQL Server users, groups, and roles belong to the public fixed server role by default.

securityadmin check box

Members of the securityadmin fixed server role manage logins and their properties. Theycan GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, andREVOKE database-level permissions. Additionally, they can reset passwords for SQL Serverlogins.

serveradmin check box

Members of the serveradmin fixed server role can change server-wide configuration optionsand shut down the server.

setupadmin check box

Members of the setupadmin fixed server role can add and remove linked servers, and theycan execute some system stored procedures.

sysadmin check box

Members of the sysadmin fixed server role can perform any activity in the Database Engine.

User Mapping


3 of 7 5/29/2012 11:56 AM

Note

The User Mapping page lists all possible databases and the database role memberships on thosedatabases that can be applied to the login. The databases selected determine the role membershipsthat are available for the login. The following options are available on this page:

Users mapped to this login

Select the databases that this login can access. When you select a database, its valid databaseroles are displayed in the Database role membership for: database_name pane.

Map

Allow the login to access the databases listed below.

Database

Lists the databases available on the server.

User

Specify a database user to map to the login. By default, the database user has the same nameas the login.

Default Schema

Specifies the default schema of the user. When a user is first created, its default schema isdbo. It is possible to specify a default schema that does not yet exist. You cannot specify adefault schema for a user that is mapped to a Windows group, a certificate, or an asymmetrickey.

Guest account enabled for: database_name

Read-only attribute indicating whether the Guest account is enabled on the selected database.Use the Status page of the Login Properties dialog box of the Guest account to enable ordisable the Guest account.

Database role membership for: database_name

Select the roles for the user in the specified database. All users are members of the publicrole in every database and cannot be removed. For more information about database roles,see Database-Level Roles.

Securables

The Securables page lists all possible securables and the permissions on those securables that canbe granted to the login. The following options are available on this page:

Upper Grid

Contains one or more items for which permissions can be set. The columns that are displayedin the upper grid vary depending on the principal or securable.

To add items to the upper grid:

Click Search.1.

In the Add Objects dialog box, select one of the following options: Specific objects…,All objects of the types…, or The server server_name. Click OK.

2.


4 of 7 5/29/2012 11:56 AM

If you select Specific objects…:

In the Select Objects dialog box, under Select these object types, click ObjectTypes….

a.

In the Select Object Types dialog box, select any or all of the following objecttypes: Endpoints, Logins, Servers, Availability Groups, and Server roles.Click OK.

b.

Under Enter the object names to select (examples), click Browse….c.

In the Browse for Objects dialog box, select any of the available objects of thetype that you selected in the Select Object Types dialog box, and then click OK.

d.

In the Select Objects dialog box, click OK.e.

3.

If you select All objects of the types…, in the Select Object Types dialog box, selectany or all of the following object types: Endpoints, Logins, Servers, AvailabilityGroups, and Server roles. Click OK.

4.

Name

The name of each principal or securable that is added to the grid.

Type

Describes the type of each item.

Explicit Tab

Lists the possible permissions for the securable that are selected in the upper grid. Not alloptions are available for all explicit permissions.

Permissions

The name of the permission.

Grantor

The principal that granted the permission.

Grant

Select to grant this permission to the login. Clear to revoke this permission.

With Grant

Reflects the state of the WITH GRANT option for the listed permission. This box is read-only.To apply this permission, use the GRANT statement.

Deny

Select to deny this permission to the login. Clear to revoke this permission.

Status

Selecting The server server_name automatically fills the upper grid with all of thatservers' securable objects.


5 of 7 5/29/2012 11:56 AM

Using Transact-SQL

The Status page lists some of the authentication and authorization options that can be configuredon the selected SQL Server login.

The following options are available on this page:

Permission to connect to database engine

When you work with this setting, you should think of the selected login as a principal that canbe granted or denied permission on a securable.

Select Grant to grant CONNECT SQL permission to the login. Select Deny to deny CONNECTSQL to the login.

Login

When you work with this setting, you should think of the selected login as a record in a table.Changes to the values listed here will be applied to the record.

A login that has been disabled continues to exist as a record. But if it tries to connect to SQLServer, the login will not be authenticated.

Select this option to enable or disable this login. This option uses the ALTER LOGIN statementwith the either ENABLE or DISABLE option.

SQL Server Authentication

The check box Login is locked out is only available if the selected login connects using SQLServer Authentication and the login has been locked out. This setting is read-only. To unlocka login that is locked out, execute ALTER LOGIN with the UNLOCK option.

[Top]

To create a login using Windows Authentication

In Object Explorer, connect to an instance of Database Engine.1.

On the Standard bar, click New Query.2.

Copy and paste the following example into the query window and click Execute.3.

To create a login using SQL Server Authentication

In Object Explorer, connect to an instance of Database Engine.1.

On the Standard bar, click New Query.2.

Copy and paste the following example into the query window and click Execute.3.

-- Create a login for SQL Server by specifying a server name and a Windows domain account name.

CREATE LOGIN [<domainName>\<loginName>] FROM WINDOWS;GO

-- Creates the user "shcooper" for SQL Server using the security credential "RestrictedFaculty"


6 of 7 5/29/2012 11:56 AM

Follow Up: Steps to take after you create a login

© 2012 Microsoft. All rights reserved.

For more information, see CREATE LOGIN (Transact-SQL).

[Top]

After creating a login, the login can connect to SQL Server, but does not necessarily have sufficientpermission to perform any useful work. The following list provides links to common login actions.

To have the login join a role, see Join a Role.

To authorize a login to use a database, see Create a Database User.

To grant a permission to a login, see Grant a Permission to a Principal.

[Top]

Did you find this helpful? Yes No

Community Content

-- The user login starts with the password "Baz1nga," but that password must be changed after the first l

CREATE LOGIN shcooper WITH PASSWORD = 'Baz1nga' MUST_CHANGE, CREDENTIAL = RestrictedFaculty;GO


7 of 7 5/29/2012 11:56 AM

sql server - create a login

Documents