i could not get the idea of runas
.But i used @Martin Smith idea
and build solution which is below.
It will be used to disable all non sa user doing any activity in any login. I did not test it in active directory.
- Deny Write
- Deny Read
- Deny Any Database
Deny Sql to connect.
Create TRIGGER DisableSMSSEntry_trigger ON ALL SERVER WITH EXECUTE AS 'sa' FOR LOGON AS BEGIN DECLARE @NtUserName AS NVARCHAR(100) IF ( (SELECT DISTINCT RTRIM(LTRIM(nt_user_name)) AS LogedUser FROM sys.dm_exec_sessions WHERE is_user_process = 1 AND login_name !='sa') >0 ) BEGIN SET @NtUserName= (SELECT DISTINCT RTRIM(LTRIM(nt_domain+'\'+nt_user_name)) AS LogedUser FROM sys.dm_exec_sessions WHERE is_user_process = 1 AND login_name !='sa') DECLARE @membername AS varchar(100),@rolename AS varchar(100) SET @membername=@NtUserName set @rolename ='DB_DenyDataWriter' EXEC sp_addrolemember @membername,@rolename set @rolename = 'DB_DenyDataReader' EXEC sp_addrolemember @membername,@rolename exec (' DENY VIEW ANY DATABASE TO '+ @NtUserName ) exec ('DENY SQL CONNECT ' + @NtUserName ) ROLLBACK END END