Using sp_change_users_login to fix SQL Server orphaned users

I’m going to be looking at sp_change_users_login as a continuation to a previous post where I looked at a couple of ways to transfer logins from one SQL Server to another and touched upon the issue of the orphaned “security identifier” (SID).

A typical scenario that arises is when the DBA quickly realises that the logins on the SQL Server cannot access the database. They try and add the login to the database as a user and are presented with the error:

Error 15023: User already exists in current database.

sp_change_users_login to the rescue!

I first saw this error a number of years ago and due to my complete lack of experience at the time, one of my first thoughts was that I would have to remove the database users, re-add them all for each login requiring access and then proceed to add the permissions back in for user.

I quickly realised that this would be a massive waste of my time and that there had to a better way and so I proceeded to consult the search engines for a resolution. Unsurprisingly I quickly found many other people who had been in the same situation as me and that sp_change_users_login had been the cure to all their woes.

And here I am writing a post about it 🙂 Well I never would have imagined that but it was a long time ago and only clever people could put a website together back in those days when blogging platforms were a twinkle in some programmers eye.

How to use sp_change_users_login to fix SQL Server orphaned users

Firstly, there may be a number of orphaned users, so the best thing to do is run this inside each database you are checking:

USE DatabaseName
EXEC sp_change_users_login 'Report';

You will see output like the screenshot attached if there are any orphaned users. In this example, user “db_login1” is showing up as an orphaned user.

sp_change_users_login report

If you already have a login which you want to map your database user to, you could run the following (note that the first instance of ‘db_login1’ is the user in the database, the second instance is the login to be mapped to) :

EXEC sp_change_users_login 'update_one', 'db_login1', 'db_login1';

If you don’t already have a login to map to, you can have sp_change_users_login create one for you and with a password. The following code does this and creates a login with the same name and a password of ‘aaZZww77’ as an example.

EXEC sp_change_users_login 'Auto_Fix', 'db_login1', NULL, 'aaZZww77';

sp_change_users_login auto_fix

For more info on this process, click this sp_change_users_login link to view the documentation from Microsoft.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInPin on PinterestBuffer this pageShare on RedditShare on StumbleUpon
About Andy Hayes

Andy Hayes is a DBA working with SQL Server since version 7.0. He has a wonderful wife and two beautiful children. He loves database technology, playing cricket, and blogging. He is passionate about sharing his experiences as a DBA and learning more to further his understanding and knowledge. You can follow me on Twitter, check out my Facebook page or follow me on


  1. Thanks, for this tip. (Out of ignorance) I have always gone for the solution of deleting/remapping the user. Which is fine if they just have simple permissions. How I miss the days of when I could just ask “someone” to sort out my database woes!

    • Hi Colin

      I hope you are well and thanks for the comment.

      I’m glad you found this post useful 🙂

      All the best


  2. Thanks!

  3. Thanks so much for this 🙂

  4. Shane Garven says:

    Thanks Andy. This has saved me today after some migrations by our DBA team from SQL 2005 to SQL 2008.
    Out of interest, what level of permissions are required to ensure the login is created, if it doesn’t exist in SQL?

    This worked for me. Although our cluster is locked down (as you would expect) and I was surprised it allowed me to create the login. Because I don’t think I could create it in the GUI-fashion. Server->Security->Logins->Right-Click->New Login.

    Thanks again.

    • Andy Hayes says:

      Hi Shane

      You need CREATE LOGIN permission to create logins in SQL Server. When you say that your cluster was locked down but you were able to create a login then the login which you authenticated to SQL Server with had/has CREATE LOGIN permission enabled.

      Thanks for your comment.

  5. Thanks for a great article!

    Want to scan your databases for orphaned users?

    Try this:
    EXEC sp_MSforeachdb ‘USE ? EXEC sp_change_users_login ”report”’

  6. Taranjit Singh says:

    We can fix all the orphan users in the database by running through a small loop

    –Authored by Taranjit Singh
    –fix all orphan users

    –Get info of all orphan users into a temporary table
    –I am using update_one assuming login exist for all orphan users
    declare @userid varchar(255)
    Create Table #orphans
    ( UserName varchar(100),
    USID nvarchar(255)
    insert into #orphans EXEC sp_change_users_login ‘report’

    –loop through all orphan users and fix those
    SELECT UserName
    FROM #orphans

    OPEN fixusers

    FETCH NEXT FROM fixusers
    INTO @userid

    EXEC sp_change_users_login ‘update_one’,@userid,@userid
    FETCH NEXT FROM fixusers
    INTO @userid

    CLOSE fixusers
    DEALLOCATE fixusers

    DROP TABLE #orphans

  7. Thank you for the tip, Andy! it just exact what I have encountered in my project of migrating SQL 2000 server to SQL 2012!

  8. Lakshmi says:

    Hi ANdy,
    I have a question for you. I am migrating databases from 2008 to 2012. I generated the create script for all logins using the sp_help_rev_login code provided by Microsoft.Si I want to know if my thought process is ok.
    First run to see if there are any orphaned users.
    EXEC sp_MSforeachdb ‘USE ? EXEC sp_change_users_login ”report”’
    -I am expecting a 100% that there will be due to new SID creation.
    1. If all the users be orphaned?
    if yes then I should run this SP_change_user_login for each login right? to make sure the logins are mapped to the users.

    Another question is I have multiple logins and running this for each will be tedious.
    Is the cursor code provided by taranjit the best way to go.
    PLease let me know your thought on this.

  9. YOU ARE AWESOME !! your page’s link must be the first link showed by google.
    Thank you !

Speak Your Mind