Error dropping or deleting a user from SQL Server 2012

Question

I'm trying to drop all the logins from SQL server except the default built-in SQL server logins but I'm unable to drop the <domain>\administrator account. It gives me following error:

Server principal '<domain>\administrator' has granted one or more permission(s). Revoke the permission(s) before dropping the server principal.

I tried checking the permission assigned to this user using this query :

Select * 
  from sys.server_permissions 
  where grantor_principal_id = 
           (Select principal_id 
              from sys.server_principals 
              where name = N'<domain>\administrator')

This query returns only one record corresponding to an end-point as below:

class   class_desc  major_id    minor_id    grantee_principal_id    grantor_principal_id    type    permission_name state   state_desc

105 ENDPOINT    65536   0   269 259 CO      CONNECT G   GRANT

But when I try to check the rights assigned to this user on all of the existing end-points, I find none have any kind of permissions for the user I'm trying to delete.

I'm not sure what is happening and where to look for to drop this user.

Answer 1

I was able to solve this issue. There were following issues which were not allowing me to drop the <Domain>\administrator login from SQL server:

1. Owner of ReportServer and ReportServerDB databases was <Domain>\administrator user
2. Owner of ConfigMgrEndPoint end-point was also <Domain>\administrator user.

I changed the ownership of all the above mentioned SQL objects. I made sa user as their new owner. Then I was successfully able to drop the <Domain>\administrator user. I also got following expert comment from one of my colleagues who was helping me with this issue :

Keeping [sa] as a default owner for most sql objects is a standard practice. Making a domain user as owner of SQL objects can affect the working later on if that user no longer exists or is disabled in the Active Directory at any point of time

Answer 2

to find out what are the permissions that are preventing the dropping of the login I am using this script:

SELECT @@SERVERNAME,@@SERVICENAME
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

DECLARE @GrantorName nvarchar(4000)

SET @GrantorName = 'xxx\the_login'  /* Login in Question */

SELECT b.name as Grantor
, c.name as Grantee
, a.state_desc as PermissionState
, a.class_desc as PermissionClass
, a.type as PermissionType
, a.permission_name as PermissionName
, a.major_id as SecurableID 
FROM sys.server_permissions a
JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
JOIN sys.server_principals c
ON a.grantee_principal_id = c.principal_id
WHERE grantor_principal_id =
(
 SELECT principal_id
 FROM sys.server_principals
 WHERE name = @GrantorName
)

and sometimes this one:

--Check to see if they own the endpoint itself:
SELECT SUSER_NAME(principal_id) AS endpoint_owner ,name AS endpoint_name
FROM sys.database_mirroring_endpoints;

--If so, you'll need to change the endpoint owner. Say the endpoint is called Mirroring, and you want to change the owner to SA:
--ALTER AUTHORIZATION ON ENDPOINT::Mirroring TO sa;

or following these instrustions:

--1)  Check to see if this logon only has server level permissions and check to see 
--if this login has granted permissions to another server principal. 
--Use this query to identify the permissions granted.

Select perm.* from sys.server_permissions  perm
INNER JOIN sys.server_principals prin ON perm.grantor_principal_id = prin.principal_id
where prin.name = 'xxx\the_login'   /* Login in Question */

--2) The permissions granted will need to be revoked , to allow the DROP LOGIN to complete. 
--The permissions can be granted again by a suitable LOGIN.

there is also a very nice article related to this:

Drop Login issues for logins tied to SQL Server Availability Groups

Answer 3

You'll have to check for "server permissions" and "explicit permissions".