Unable to disable login mapped to Windows AD group while logged in as 'sa'

Anonymous
2022-05-12T14:15:09.37+00:00

Hello,

I'm getting the following error while trying to disable a login mapped to a global group in Active Directory:

Cannot alter the login '<domain>\<username>', because it does not exist or you do not have permission. (Microsoft SQL Server, Error: 15151)

I have sufficient permissions (I am logged in as 'sa'), and this only occurs with Windows AD groups. Also, I am able to delete this logins; I just cannot disable them.

Is this a bug, or is there any other way to fix? Right now I'm having to strip all permissions/roles granted to this login.

Also, this is running on an ancient version of SQL Server (2008 SP3 10.0.5538.0) that we must keep around for legal purposes.

Any help is much appreciated -- thanks!

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,690 questions
0 comments
Accepted answer
  1. YufeiShao-msft 7,056 Reputation points
    2022-05-13T06:46:52.08+00:00

    Hi @Anonymous ,

    From the article:ALTER LOGIN

    You cannot use ALTER LOGIN with the DISABLE argument to deny access to a Windows group. For example, ALTER LOGIN [domain\group] DISABLE will return the following error message:

    "Msg 15151, Level 16, State 1, Line 1 "Cannot alter the login 'Domain\Group', because it does not exist or you do not have permission."

    so what was your operation at that time, whether made the same error?

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Phillips 17,716 Reputation points
    2022-05-12T18:58:01.54+00:00

    How exactly are you getting that error? Are you running a TSQL command in SSMS, using the GUI in SSSM, running SQLCMD?

    That error is almost certainly because the login you entered does not exist. Do not confuse "logins" with "database users". They are different and can have different names.

    0 comments
  2. Anonymous
    2022-05-12T20:05:11.97+00:00

    It doesn't work via the GUI or TSQL. It's a login, not a user.

    0 comments
  3. Erland Sommarskog 100.9K Reputation points MVP
    2022-05-12T20:23:49.32+00:00

    You need to create the login before you can disable it: 

    CREATE LOGIN [Domain\KeepThisUserOut]
ALTER LOGIN [Domain}KeepThisUserOut] DISABLE

    However, I suspect that you will find that this user can still connect, since apparent the user is member of an AD group which has access.

    If the aim really is to keep this user out, you can add this 

    REVOKE CONNECT SQL TO [Domain\KeepThisUserOut]
    0 comments
  4. Anonymous
    2022-05-12T20:46:00.11+00:00

    No need to create it. The login already existed.