SQL Server Check

Invalid Windows login

This is one of many SQL Server checks performed by our free sp_Check tools.

Learn More About Our sp_check Tools

Checks Performed

ID
Check
304
invalid Windows login

What’s the issue?

SQL Server supports Windows authentication, allowing logins to be created from Active Directory user accounts, Active Directory groups, and local Windows accounts. When a login is created, SQL Server stores the security identifier (SID) of the underlying Windows or Active Directory principal, which is the durable reference used to validate the account at connection time.

The system stored procedure sp_validatelogins checks every Windows login on the instance and returns a list of any whose underlying Windows accounts no longer exist. This finding flags instances where sp_validatelogins has returned one or more rows, indicating that SQL Server logins exist for Windows users or groups that have since been deleted from Active Directory or the local account database.

These invalid logins remain in sys.server_principals and may still appear in role memberships and permission grants, even though the underlying account is gone and the login can no longer authenticate.

Why is this a problem?

Invalid Windows logins clutter the SQL Server security configuration and make it harder to maintain an accurate picture of who has access to the instance. During audits and security reviews, every login must be evaluated and justified, and invalid accounts add noise that makes the legitimate entries harder to review.

These logins also retain whatever permissions and role memberships they had when the underlying Windows account was deleted. The permissions are not enforceable while the login is invalid (since no one can authenticate as the deleted account), but they remain attached to the login record. This complicates security reporting and makes it appear that more principals have access than is actually the case.

For Active Directory groups specifically, an invalid group login indicates that the group was actually deleted, since renaming a group preserves its SID. Any access that was previously granted through that group is gone, but the login still appears in permission grants and role memberships, which can mislead future reviews of who has access to what.

What should you do about this?

For each invalid login, review the permissions and role memberships it holds before removal so any access that should have been inherited by a current account can be reassigned appropriately. Capture this information using sys.server_permissions, sys.server_role_members, and sys.database_permissions in each database where the login was mapped to a user.

Remove the invalid logins using DROP LOGIN [DomainNameAccountName];. Before dropping, confirm that any corresponding database users are also handled. Database users tied to the dropped login become orphaned at the database level and may need to be either dropped or remapped to a different login depending on whether the underlying access is still required.

Investigate why the invalid logins accumulated in the first place, since the remediation is most effective when paired with a process improvement. Work with the identity management and Active Directory teams to add a SQL Server cleanup step to the standard user and group deprovisioning workflow, or implement a periodic reconciliation job that runs sp_validatelogins on a schedule and either flags or removes invalid entries automatically.

Read more…

sp_validatelogins (Transact-SQL) – SQL Server | Microsoft Learn

Type

Security

Importance

High

sp_Checks