commands

^

Get-DbaServerRole

Author Shawn Melton (@wsmelton)
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out Get-DbaServerRole on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaServerRole.

Synopsis

Retrieves server-level security roles and their members from SQL Server instances.

Description

Retrieves all server-level security roles from SQL Server instances, including role members, creation dates, and ownership details. This function helps DBAs audit server-level permissions, identify role membership for compliance reporting, and distinguish between built-in fixed roles (like sysadmin, serveradmin) and custom user-defined roles. Supports filtering to specific roles or excluding fixed roles to focus on custom security configurations.

Syntax

Get-DbaServerRole
    [-SqlInstance] <DbaInstanceParameter[]>
    [[-SqlCredential] <PSCredential>]
    [[-ServerRole] <String[]>]
    [[-ExcludeServerRole] <String[]>]
    [-ExcludeFixedRole]
    [-EnableException]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> Get-DbaServerRole -SqlInstance sql2016a

Outputs list of server-level roles for sql2016a instance.

Example: 2
PS C:\> Get-DbaServerRole -SqlInstance sql2017a -ExcludeFixedRole

Outputs the server-level role(s) that are not fixed roles on sql2017a instance.

Required Parameters

-SqlInstance

The target SQL Server instance or instances. Server version must be SQL Server version 2005 or higher.

Alias
Required True
Pipeline true (ByValue)
Default Value

Optional Parameters

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

Alias
Required False
Pipeline false
Default Value
-ServerRole

Specifies one or more server-level roles to include in the results. Accepts role names like 'sysadmin', 'dbcreator', or custom role names.
Use this when you need to audit specific roles rather than retrieving all server roles from the instance.

Alias
Required False
Pipeline false
Default Value
-ExcludeServerRole

Specifies one or more server-level roles to exclude from the results. Useful for filtering out roles you don't need to audit.
Commonly used to exclude built-in roles like 'public' when focusing on administrative roles with elevated permissions.

Alias
Required False
Pipeline false
Default Value
-ExcludeFixedRole

Excludes built-in fixed server roles from the results, showing only custom user-defined server roles.
Use this when auditing custom security configurations or identifying roles created by your organization rather than SQL Server's default roles.

Alias
Required False
Pipeline false
Default Value False
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False