The following query well known query will list all logins with SYSADMIN access to a sql Server:
SELECT p.name 'LoginName', p.type_desc FROM sys.server_principals p JOIN sys.syslogins s ON p.sid = s.sid WHERE p.type_desc IN ('SQL_LOGIN', 'WINDOWS_LOGIN', 'WINDOWS_GROUP') -- Logins that are not process logins AND p.name NOT LIKE '##%' -- exclude disabled and p.is_disabled = 0 -- Logins that are sysadmins AND s.sysadmin = 1 ORDER BY Type
The problem is that the query may return Windows Groups, and we might want to know membership to those groups.
Which is why we rather run the following query instaead:
/* DESCRIPTION: List users with SYSADMIN access If a Windows group has sysadmin access it will list its members Lists only enabled users at SQL level cannot check if valid AD account CONFIGURATION: None Compatibility list: MSSQL2005 MSSQL2008 MSSQL2008R2 MSSQL2012 DOES NOT WORK */ DECLARE @logininfo table ( [LoginName] sysname , [type] char(8), [priv] char(9), [mpln] sysname , [GroupMembership] sysname ) DECLARE @GroupName sysname DECLARE cur CURSOR FOR SELECT p.name FROM sys.server_principals p JOIN sys.syslogins s ON p.sid = s.sid WHERE p.type_desc IN ('WINDOWS_GROUP') -- exclude disabled and p.is_disabled = 0 -- Logins that are sysadmins AND s.sysadmin = 1 OPEN cur FETCH NEXT FROM cur INTO @GroupName WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO @logininfo EXEC master..xp_logininfo @acctname = @GroupName, @option = 'members' FETCH NEXT FROM cur INTO @GroupName END CLOSE cur DEALLOCATE cur SELECT LoginName, 'WINDOWS_GROUP' 'Type_Desc', GroupMembership 'GroupMembership' FROM @logininfo UNION ALL SELECT p.name 'LoginName', p.type_desc, '' 'GroupMembership' FROM sys.server_principals p JOIN sys.syslogins s ON p.sid = s.sid WHERE p.type_desc IN ('SQL_LOGIN', 'WINDOWS_LOGIN') -- Logins that are not process logins AND p.name NOT LIKE '##%' -- exclude disabled and p.is_disabled = 0 -- Logins that are sysadmins AND s.sysadmin = 1 ORDER BY GroupMembership, Type_Desc