Author | Mikey Bronowski (@MikeyBronowski), bronowski.it |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Remove-DbaServerRoleMember on GitHub.
Want to see the Bill Of Health for this command? Check out Remove-DbaServerRoleMember.
Revokes server-level role membership from SQL Server logins and roles.
Revokes membership from server-level roles by removing logins or nested roles from target roles like sysadmin, dbcreator, or custom server roles. This is essential for security management when you need to reduce user privileges or clean up role assignments after organizational changes. The function works with both fixed server roles (sysadmin, securityadmin, etc.) and user-defined server roles, supporting bulk operations across multiple instances.
Remove-DbaServerRoleMember
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-ServerRole] <String[]>]
[[-Login] <String[]>]
[[-Role] <String[]>]
[[-InputObject] <Object[]>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> Remove-DbaServerRoleMember -SqlInstance server1 -ServerRole dbcreator -Login login1
Removes login1 from the dbcreator fixed server-level role on the instance server1.
PS C:\> Remove-DbaServerRoleMember -SqlInstance server1, sql2016 -ServerRole customrole -Login login1
Removes login1 from customrole custom server-level role on the instance server1 and sql2016.
PS C:\> Remove-DbaServerRoleMember -SqlInstance server1 -ServerRole customrole -Role dbcreator
Removes customrole custom server-level role from the dbcreator fixed server-level role.
PS C:\> $servers = Get-Content C:\servers.txt
PS C:\> $servers | Remove-DbaServerRoleMember -ServerRole sysadmin -Login login1
Removes login1 from the sysadmin fixed server-level role in every server in C:\servers.txt.
PS C:\> Remove-DbaServerRoleMember -SqlInstance localhost -ServerRole bulkadmin, dbcreator -Login login1
Removes login1 from the bulkadmin and dbcreator fixed server-level roles on the server localhost.
PS C:\> $roles = Get-DbaServerRole -SqlInstance localhost -ServerRole bulkadmin, dbcreator
PS C:\> $roles | Remove-DbaServerRoleMember -Login login1
Removes login1 from the bulkadmin and dbcreator fixed server-level roles on the server localhost.
PS > PS C:\ $logins = Get-Content C:\logins.txt
PS C:\ $srvLogins = Get-DbaLogin -SqlInstance server1 -Login $logins
PS C:\ Remove-DbaServerRoleMember -Login $logins -ServerRole mycustomrole
Removes all the logins found in C:\logins.txt from mycustomrole custom server-level role on server1.
The target SQL Server instance or instances. This can be a collection and receive pipeline input to allow the function to be executed against multiple SQL Server instances.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies the server-level role(s) from which to remove members. Accepts both fixed server roles like sysadmin, securityadmin, dbcreator, and custom user-defined server roles.
Use this when you need to revoke specific permissions by removing logins or nested roles from elevated privilege roles.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies the login name(s) to remove from the target server role(s). Accepts SQL Server logins, Windows logins, and Active Directory accounts.
Use this when removing user access after role changes, departures, or security reviews where individual logins need privilege reduction.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies the server role name(s) to remove from the target server role(s), enabling nested role management.
Use this when restructuring role hierarchies or removing inherited permissions where one server role should no longer be a member of another.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Accepts piped server role objects from Get-DbaServerRole, allowing you to chain role discovery with member removal operations.
Use this pattern when you need to filter roles first then remove specific members from the filtered results.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
Alias | wi |
Required | False |
Pipeline | false |
Default Value |
Prompts you for confirmation before executing any changing operations within the command.
Alias | cf |
Required | False |
Pipeline | false |
Default Value |