Detached database file permissions

dba.stackexchange https://dba.stackexchange.com/questions/77677

Question

I have a script that detaches databases for archival when they meet certain criteria. The script is executed by SSIS under the local Administrator account by the Ghost of DBA Past. Per design it (by this I meant detaching databases in general) removes all other ownership and makes ownership exclusive to the local Administrator account. Here's where it gets weird:

I can't seem to change permissions back except via two methods:

  1. Windows GUI properties/Security etc.
  2. Copying the files to a sub directory that has inherited different permissions.

What I can't get to work:

  1. PowerShell Set-Acl
  2. PowerShell Move-Item
  3. Moving/cutting the files in Windows GUI
  4. icacls

I understand why ownership changes, but not why it's so difficult to edit the permissions afterwards, and why the files seem to essentially be hidden from command line tools.

Reason for the change is that sometimes data needs to be put back online before it goes to tape for whatever reason, and I can't attach the database(s) without changing permissions first.

Thanks

Was it helpful?

Solution

You should enable trace flag 1802 on your database servers. This will allow SQL Server to retain inheritable permissions when you detach a database so you won't experience this issue going forward:

http://support2.microsoft.com/kb/922804

DBCC TRACEON(1802, -1)

Add it to the startup parameters of the SQL Server service http://msdn.microsoft.com/en-us/library/ms190737(v=sql.110).aspx

OTHER TIPS

Maybe this is not an answer to your question but I believe it is relevant. I would write a comment if I could but I want to add the pictures and the script I used.

I had the same problem while ago, I was getting the following error message while trying to re-attach a database:

enter image description here

The way I sorted this out was impersonating the login used to detach the database and then run the following command: Note that I change the DB owner straight after.

USE [master]
GO
CREATE DATABASE [DEOrderArchive] ON 
( FILENAME = N'Y:\SQLDATA\REP\DEOrderArchive.mdf' ),
( FILENAME = N'Z:\SQLLogs\REP\DEOrderArchive.ldf' )
FOR ATTACH
GO
USE [DEOrderArchive]
GO
EXEC dbo.sp_changedbowner @loginame = N'sa', @map = false
GO
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top