This article describes how to transfer logins and passwords between different instances of Microsoft SQL Server.
Note instances may reside on the same server, may also be located on different servers, its version may be different.
For more information about how to transfer logins and passwords between instances of other versions of SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
Note instances may reside on the same server, may also be located on different servers, its version may be different.
For more information about how to transfer logins and passwords between instances of other versions of SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
246133
How to transfer between running an older version of SQL Server instance of SQL Server login name and password
More information
Herein, server A and server B are different servers.
After moving a database from SQL Server on the server A to the instance of SQL Server instance on the server B, the user may not be able to log on to the database on the server B. In addition, the user may receive the following error message:
After moving a database from SQL Server on the server A to the instance of SQL Server instance on the server B, the user may not be able to log on to the database on the server B. In addition, the user may receive the following error message:
Users '
MyUser ' Login failed . (Microsoft SQL Server, Error: 18456)
This problem occurs because you do not have a login name and password from SQL Server instance on the server A
transfer to the SQL Server instance on the server B. To transfer logins, use one of the following methods based on your situation.
Method 1: Reset Password (Server B) on the destination SQL Server computer
To resolve this problem, reset the password in the SQL Server computer, and then writing a login script.
Note the use of cryptographic hash algorithm to reset the password.
Method 2: Use on the source server (server B) generated by the script login name and password to the destination server (server A)
To create an empty password logon script, follow these steps:
transfer to the SQL Server instance on the server B. To transfer logins, use one of the following methods based on your situation.
Method 1: Reset Password (Server B) on the destination SQL Server computer
To resolve this problem, reset the password in the SQL Server computer, and then writing a login script.
Note the use of cryptographic hash algorithm to reset the password.
Method 2: Use on the source server (server B) generated by the script login name and password to the destination server (server A)
To create an empty password logon script, follow these steps:
- On server A, start SQL Server Management Studio, and then connect to an instance of SQL Server from mobile database.
- Open a new Query Editor window, and then run the following script.
Note that this script in the master database to create two stored procedures . These processes, called sp_hexadecimal and the sp_help_revlogin .
USE master GO IF OBJECT_ID ('sp_hexadecimal') IS NOT NULL DROP PROCEDURE sp_hexadecimal GO CREATE PROCEDURE sp_hexadecimal @binvalue varbinary(256), @hexvalue varchar (514) OUTPUT AS DECLARE @charvalue varchar (514) DECLARE @i int DECLARE @length int DECLARE @hexstring char(16) SELECT @charvalue = '0x' SELECT @i = 1 SELECT @length = DATALENGTH (@binvalue) SELECT @hexstring = '0123456789ABCDEF' WHILE (@i <= @length) BEGIN DECLARE @tempint int DECLARE @firstint int DECLARE @secondint int SELECT @tempint = CONVERT(int, SUBSTRING(@binvalue,@i,1)) SELECT @firstint = FLOOR(@tempint/16) SELECT @secondint = @tempint - (@firstint*16) SELECT @charvalue = @charvalue + SUBSTRING(@hexstring, @firstint+1, 1) + SUBSTRING(@hexstring, @secondint+1, 1) SELECT @i = @i + 1 END SELECT @hexvalue = @charvalue GO IF OBJECT_ID ('sp_help_revlogin') IS NOT NULL DROP PROCEDURE sp_help_revlogin GO CREATE PROCEDURE sp_help_revlogin @login_name sysname = NULL AS DECLARE @name sysname DECLARE @type varchar (1) DECLARE @hasaccess int DECLARE @denylogin int DECLARE @is_disabled int DECLARE @PWD_varbinary varbinary (256) DECLARE @PWD_string varchar (514) DECLARE @SID_varbinary varbinary (85) DECLARE @SID_string varchar (514) DECLARE @tmpstr varchar (1024) DECLARE @is_policy_checked varchar (3) DECLARE @is_expiration_checked varchar (3) DECLARE @defaultdb sysname IF (@login_name IS NULL) DECLARE login_curs CURSOR FOR SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM sys.server_principals p LEFT JOIN sys.syslogins l ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name <> 'sa' ELSE DECLARE login_curs CURSOR FOR SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM sys.server_principals p LEFT JOIN sys.syslogins l ON ( l.name = p.name ) WHERE p.type IN ( 'S', 'G', 'U' ) AND p.name = @login_name OPEN login_curs FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin IF (@@fetch_status = -1) BEGIN PRINT 'No login(s) found.' CLOSE login_curs DEALLOCATE login_curs RETURN -1 END SET @tmpstr = '/* sp_help_revlogin script ' PRINT @tmpstr SET @tmpstr = '** Generated ' + CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */' PRINT @tmpstr PRINT '' WHILE (@@fetch_status <> -1) BEGIN IF (@@fetch_status <> -2) BEGIN PRINT '' SET @tmpstr = '-- Login: ' + @name PRINT @tmpstr IF (@type IN ( 'G', 'U')) BEGIN -- NT authenticated account/group SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' FROM WINDOWS WITH DEFAULT_DATABASE = [' + @defaultdb + ']' END ELSE BEGIN -- SQL Server authentication -- obtain password and sid SET @PWD_varbinary = CAST( LOGINPROPERTY( @name, 'PasswordHash' ) AS varbinary (256) ) EXEC sp_hexadecimal @PWD_varbinary, @PWD_string OUT EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT -- obtain password policy state SELECT @is_policy_checked = CASE is_policy_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name SELECT @is_expiration_checked = CASE is_expiration_checked WHEN 1 THEN 'ON' WHEN 0 THEN 'OFF' ELSE NULL END FROM sys.sql_logins WHERE name = @name SET @tmpstr = 'CREATE LOGIN ' + QUOTENAME( @name ) + ' WITH PASSWORD = ' + @PWD_string + ' HASHED, SID = ' + @SID_string + ', DEFAULT_DATABASE = [' + @defaultdb + ']' IF ( @is_policy_checked IS NOT NULL ) BEGIN SET @tmpstr = @tmpstr + ', CHECK_POLICY = ' + @is_policy_checked END IF ( @is_expiration_checked IS NOT NULL ) BEGIN SET @tmpstr = @tmpstr + ', CHECK_EXPIRATION = ' + @is_expiration_checked END END IF (@denylogin = 1) BEGIN -- login is denied access SET @tmpstr = @tmpstr + '; DENY CONNECT SQL TO ' + QUOTENAME( @name ) END ELSE IF (@hasaccess = 0) BEGIN -- login exists but does not have access SET @tmpstr = @tmpstr + '; REVOKE CONNECT SQL TO ' + QUOTENAME( @name ) END IF (@is_disabled = 1) BEGIN -- login is disabled SET @tmpstr = @tmpstr + '; ALTER LOGIN ' + QUOTENAME( @name ) + ' DISABLE' END PRINT @tmpstr END FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin END CLOSE login_curs DEALLOCATE login_curs RETURN 0 GO exec sp_help_revlogin
- Run the following statement in the same or a new query window:
sp_help_revlogin stored procedure generates the output of the script is the login script. This login script creates have the original Security Identifier (SID) and the original password login.
EXEC sp_help_revlogin
Step (Server B) on the destination server:
- On server B, start SQL Server Management Studio, and then connect to the instance of SQL Server mobile database.
Important information before you go to step 2, please see the "Remarks" section of the following information. - Open a new query editor window, then the output of the previous run script generated in step 2 in a procedure.
Remark
Before instances running output script on the server B, see the following information:
- Can be hashed password in the following ways:
- VERSION_SHA1 : This hash is generated using the SHA1 algorithm, and SQL Server 2000 to SQL Server 2008 R2 in use.
- VERSION_SHA2 : This hash is to use SHA2 512 algorithm generates for SQL Server 2012 and later versions.
- A closer look at the output script. If server A and server B are in different domains, you must change the output of the script. Then, you must replace the original domain name using the CREATE LOGIN statement of the new domain name. Granted access in the new domain integrated login with the original domain login different. Therefore, the user isolated from these logins. For more information about how to resolve these orphaned users, click the following article number to view the article in the Microsoft Knowledge Base:
If the Server A and Server B in the same domain, the same SID. Therefore, users are less likely to become orphans. - In the output script, create a login using an encrypted password. This is because HASHED parameters CREATE LOGIN statement. This parameter specifies the input after the PASSWORD parameter password has been hashed.
- By default, only the sysadmin fixed server role members can from sys.server_principals view statement runs the SELECT . Unless the sysadmin fixed server role members grant the necessary permissions to the user, or the user can not create or run the output script.
- Steps in this article do not transfer the default database information for a particular login. This is because the default database on the server B may not always exist. To define the default database for the login, use the ALTER LOGIN statement, the login name and the default database as a parameter.
- Sort the source and destination servers:
- A case-insensitive and case-sensitive server Server B : A server sort order may not be case-insensitive, Server B sort order might be case sensitive. In this case, the user must login and password after the transfer to the instance on server B, type the password in all capital letters.
- Case-sensitive and case-insensitive Server A Server B: the sort order might be case sensitive server A, the server B and the sort order may not be case sensitive. In this case, unless one of the following conditions, otherwise the user can not log in using the login name and password that you transfer to the instance on server B:
- Original password does not contain the letter.
- All the letters in the original passwords are uppercase letters.
- Case-sensitive or case-insensitive two servers : Sort Order Server A and Server B may be case sensitive, or the sort order Server A and Server B may be case-insensitive. In these cases, users will not encounter problems.
- Have been instances login name on the server B may have the same name in the output script name. In this case, when you run the output script on the instance on server B, you receive the following error message:
Similarly, examples already logged on the server B may have the same output of the script SID SID. In this case, when you run the output script on the instance on server B, you receive the following error message:Message 15025, Level 16, State 1, Line 1
server principal " mylogin " already exists.Therefore, you must do the following:Message 15433, Level 16, State 1, row 1
parameter sid is in use provided.- A closer look at the output script.
- Check the instance on server B the sys.server_principals view content .
- Appropriately resolve these error messages.
In SQL Server 2005, the logon SID for implementing database-level access. Login may have different SID in different databases on the server. In this case, the login can only access has sys.server_principals view SID that matches the SID database. If the two databases from different servers combined, this problem may occur. To resolve this problem, use the DROP USER statement has the SID does not match the database manually delete the log in from. Then, use the CREATE USER statement to add log in again.
- If you try to login before 2000 use scripted SQL Server SQL Server 2012 to create a new login, you receive the following error message:
Message 15021, Level 16, State 2, Line 1
parameter PASSWORD invalid. Specify a valid parameter values.
Note that you receive in SQL Server 2012 error, because provides 16-byte password hash for the CREATE LOGIN and ALTER LOGIN statement.
To resolve this issue in SQL Server 2012 running on the server, create a blank password login. To do this, run the following script:
Create a login with a blank password, the user can log in attempt to change the password the next time.CREATE LOGIN [Test] WITH PASSWORD = '', SID = 0x90FD605DCEFAE14FAB4D5EB0BBA1AECC, DEFAULT_DATABASE = [master], CHECK_POLICY = ON, CHECK_EXPIRATION = OFF
Method 3: Use the password before the 2000 SQL Server
Note that only when you migrate to SQL Server SQL Server supported version of the update of 2000, this method applies.
In this case, it requires users to log on to the server running SQL Server login name before 2000 SQL Server.
Note that when a user logs in with a password prior to 2000 SQL Server, the password hash will be automatically updated.
reference
For more information about how to resolve orphaned users, go to the
orphaned users
Microsoft Developer Network (MSDN) Web site troubleshooting .
For more information about the CREATE LOGIN statement, go to the CREATE LOGIN (Transact-SQL) the MSDN Web site.
For more information about the ALTER LOGIN statement, go ALTER LOGIN (Transact-SQL) the MSDN Web site.
For more information about the CREATE LOGIN statement, go to the CREATE LOGIN (Transact-SQL) the MSDN Web site.
For more information about the ALTER LOGIN statement, go ALTER LOGIN (Transact-SQL) the MSDN Web site.