Author | Frank Henninger (@osiris687) , Andreas Jordan (@JordanOrdix), ordix.de |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out New-DbaDbUser on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaDbUser.
Creates database users with support for SQL logins, contained users, and Azure AD authentication.
Creates database users across one or more databases, supporting multiple authentication types including traditional SQL login mapping, contained users with passwords, and Azure Active Directory external provider authentication. This command handles the common DBA task of provisioning database access without requiring manual T-SQL scripts for each database. You can create users mapped to existing SQL logins, standalone contained users for partially contained databases, or Azure AD users for cloud environments. The function automatically validates that specified logins and schemas exist before attempting user creation.
New-DbaDbUser
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Database <String[]>]
[-ExcludeDatabase <String[]>]
[-IncludeSystem]
-User <String>
-ExternalProvider
[-DefaultSchema <String>]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaDbUser
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Database <String[]>]
[-ExcludeDatabase <String[]>]
[-IncludeSystem]
-User <String>
-SecurePassword <SecureString>
[-DefaultSchema <String>]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaDbUser
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Database <String[]>]
[-ExcludeDatabase <String[]>]
[-IncludeSystem]
-User <String>
[-DefaultSchema <String>]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaDbUser
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Database <String[]>]
[-ExcludeDatabase <String[]>]
[-IncludeSystem]
[-User <String>]
-Login <String>
[-DefaultSchema <String>]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -Login user1
Creates a new sql user named user1 for the login user1 in the database DB1.
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -User user1
Creates a new sql user named user1 without login in the database DB1.
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -User user1 -Login login1
Creates a new sql user named user1 for the login login1 in the database DB1.
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -User user1 -Login Login1 -DefaultSchema schema1
Creates a new sql user named user1 for the login login1 in the database DB1 and specifies the default schema to be schema1.
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -User "claudio@********.onmicrosoft.com" -ExternalProvider
Creates a new sql user named 'claudio@********.onmicrosoft.com' mapped to Azure Active Directory (AAD) in the database DB1.
PS C:\> New-DbaDbUser -SqlInstance sqlserver2014 -Database DB1 -Username user1 -Password (ConvertTo-SecureString -String "DBATools" -AsPlainText -Force)
Creates a new contained sql user named user1 in the database DB1 with the password specified.
The target SQL Server instance or instances.
Alias | |
Required | True |
Pipeline | false |
Default Value |
Sets the name of the database user to be created. Required for contained users, external provider users, and users without logins.
If not specified when using -Login, the user name will match the login name.
Alias | Username |
Required | True |
Pipeline | false |
Default Value |
Maps the database user to an existing SQL Server login for authentication.
The login must already exist on the instance before creating the user.
Alias | |
Required | True |
Pipeline | false |
Default Value |
If we need to pass a password to the command, we always use the type securestring and name the parameter SecurePassword. Here we only use the alias for backwords compatibility.
Alias | Password |
Required | True |
Pipeline | false |
Default Value |
Creates a user for Azure Active Directory authentication in Azure SQL databases or SQL Server with AAD integration.
The User parameter should contain the full AAD principal name ([email protected] or groupname).
Alias | |
Required | True |
Pipeline | false |
Default Value | False |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies which databases to create the user in. Accepts multiple database names separated by commas.
If not specified, the user will be created in all user databases on the instance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Excludes specific databases from user creation when processing all databases on an instance.
Use this to skip databases where you don't want the user created, such as read-only or archived databases.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Creates the user in system databases (master, model, msdb, tempdb) in addition to user databases.
Typically used when creating maintenance or administrative users that need access to system databases.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Sets the default schema that will be used when the user creates objects without specifying a schema.
Defaults to 'dbo' if not specified. The schema must already exist in the target database.
Alias | |
Required | False |
Pipeline | false |
Default Value | dbo |
Drops and recreates the user if it already exists in the database.
Use this when you need to reset a user's properties or when automation scripts need to ensure a clean user state.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
Alias | wi |
Required | False |
Pipeline | false |
Default Value |
If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
Alias | cf |
Required | False |
Pipeline | false |
Default Value |