Sql-server – Change SQL Server user SID

I have SQL Server 2012 and I am using domain users (from Active Directory). By mistake users were deleted from AD, created new with identical logins and passwords (but with different SIDs), deleted and restored the original ones – in the end old users with old SID's were recreated.

Almost everything seems to be fine again, except for one user. SQL Server somehow got stucked with wrong SID for one user (all other users are fine) and is not getting the right SID from AD. I checked SID in both places – SIDs in AD is not the same as in SQL Server.

As result of this "SID mismatch" this user can not access to database. If it tries, it fails and gets:

"Error: 18456, Severity: 14, State: 5."
Login failed for user 'DomainX\UserX'. Reason: Could not find a login matching the name provided.

I deleted user from server and all databases it was used, then added – and again got wrong SID! And this "new" user still can not connect to database.

There are two things that "grinds my gears":

how SIDs for other users match and mismatch for just one?
if other users are fine (they got old SIDs), then I can assume there is not problems in domain controller?

I have found a lot about different manipulations with two existing user (or orphaned?) logins, but failed to found about just changing SID.

~~But the main question is – how to change SID of one user in MS SQL Server (version 11.0.)? Is this even possible?~~

UPDATE
As I keep thinking about this, I realised that I have wrong question. Since this UserX is domain user, it is not SQL Server local user – that means that I can not change SID directly in SQL Server.

I have two identical servers (ServerA and ServerB) that uses the same users from AD. In ServerB UserX has got right SID and can normaly authenticate in SQL Server (right SID means the same as in AD). To be clear – UserX has got wrong SID in ServerA.

Question – if this user is domain user from Active Directory, where and how change its SID? If UserX can authenticate in ServerB, that means SID must be changed in ServerA within Windows Users?

Please correct me, if some thoughts or ideas has gone in wrong tracks.

UPDATE 2
I have found a solution to my problem, although it did not answered the question. For anyone interested – my colleges found deleted user with that wrong SID in AD. That user was renewed and now in AD both users are active – the good one and the bad one. SQL Server recognized users and problem with user login and SID mismatch somehow resolved itself – UserX in ServerA now has right SID and can access database. Now everything works as it should be! 🙂

Best Answer

I had a similar situation with a deleted AD user and SID mismatch. For me, the problem was local SID caching and the solution was to follow the workaround in the link below on the SQL server and client's pc.

https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the

Open Registry Editor. To do this in Windows XP or in Windows Server 2003, click Start, click Run, >type regedit, and then click OK.

To do this in Windows Vista and newer, Click Start, type regedit in the >Start Search box, and then press ENTER.

Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa>

Point to New, and then click DWORD Value.

Type LsaLookupCacheMaxSize, and then press ENTER.

Right-click LsaLookupCacheMaxSize, and then click Modify.

In the Value data box, type 0, and then click OK.

Exit Registry Editor.

Optionally, afterwards, right-click the LsaLookupCacheMaxSize DWORD you created and delete it.

Best Answer

Related Solutions

Active Directory – Fix Wrong SID for Administrator Account

Windows – user SID unique

Related Topic