functions/Copy-SqlServerRole.ps1
Function Copy-SqlServerRole { <# .SYNOPSIS Copy-SqlServerRole migrates server roles from one SQL Server to another. .DESCRIPTION By default, all roles are copied. The -Roles parameter is autopopulated for command-line completion and can be used to copy only specific roles. If the role already exists on the destination, it will be skipped unless -Force is used. .PARAMETER Source Source SQL Server.You must have sysadmin access and server version must be SQL Server version 2000 or greater. .PARAMETER Destination Destination Sql Server. You must have sysadmin access and server version must be SQL Server version 2000 or greater. .PARAMETER SourceSqlCredential Allows you to login to servers using SQL Logins as opposed to Windows Auth/Integrated/Trusted. To use: $scred = Get-Credential, then pass $scred object to the -SourceSqlCredential parameter. Windows Authentication will be used if DestinationSqlCredential is not specified. SQL Server does not accept Windows credentials being passed as credentials. To connect as a different Windows user, run PowerShell as that user. .PARAMETER DestinationSqlCredential Allows you to login to servers using SQL Logins as opposed to Windows Auth/Integrated/Trusted. To use: $dcred = Get-Credential, then pass this $dcred to the -DestinationSqlCredential parameter. Windows Authentication will be used if DestinationSqlCredential is not specified. SQL Server does not accept Windows credentials being passed as credentials. To connect as a different Windows user, run PowerShell as that user. .PARAMETER WhatIf Shows what would happen if the command were to run. No actions are actually performed. .PARAMETER Confirm Prompts you for confirmation before executing any changing operations within the command. .PARAMETER Force Drops and recreates the Role if it exists .NOTES Author: Chrissy LeMaire (@cl), netnerds.net Requires: sysadmin access on SQL Servers dbatools PowerShell module (https://dbatools.io, clemaire@gmail.com) Copyright (C) 2016 Chrissy LeMaire This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. .LINK https://dbatools.io/Copy-SqlServerRole .EXAMPLE Copy-SqlServerRole -Source sqlserver2014a -Destination sqlcluster Copies all server roles from sqlserver2014a to sqlcluster, using Windows credentials. If roles with the same name exist on sqlcluster, they will be skipped. .EXAMPLE Copy-SqlServerRole -Source sqlserver2014a -Destination sqlcluster -Role tg_noDbDrop -SourceSqlCredential $cred -Force Copies a single role, the tg_noDbDrop role from sqlserver2014a to sqlcluster, using SQL credentials for sqlserver2014a and Windows credentials for sqlcluster. If a role with the same name exists on sqlcluster, it will be dropped and recreated because -Force was used. .EXAMPLE Copy-SqlServerRole -Source sqlserver2014a -Destination sqlcluster -WhatIf -Force Shows what would happen if the command were executed using force. #> [CmdletBinding(DefaultParameterSetName = "Default", SupportsShouldProcess = $true)] param ( [parameter(Mandatory = $true)] [object]$Source, [parameter(Mandatory = $true)] [object]$Destination, [System.Management.Automation.PSCredential]$SourceSqlCredential, [System.Management.Automation.PSCredential]$DestinationSqlCredential, [switch]$Force ) DynamicParam { if ($source) { return (Get-ParamSqlServerRoles -SqlServer $Source -SqlCredential $SourceSqlCredential) } } BEGIN { $roles = $psboundparameters.Roles $sourceserver = Connect-SqlServer -SqlServer $Source -SqlCredential $SourceSqlCredential $destserver = Connect-SqlServer -SqlServer $Destination -SqlCredential $DestinationSqlCredential $source = $sourceserver.DomainInstanceName $destination = $destserver.DomainInstanceName $serverroles = $sourceserver.Roles $destroles = $destserver.Roles } PROCESS { throw "This function is not quite ready yet." foreach ($role in $serverroles) { $rolename = $role.name if ($roles.length -gt 0 -and $roles -notcontains $rolename) { continue } if ($destroles.name -contains $rolename) { if ($role.IsFixedRole -eq $true -or $rolename -eq "public") { continue } if ($force -eq $false) { Write-Warning "Server role $rolename exists at destination. Use -Force to drop and migrate." continue } else { If ($Pscmdlet.ShouldProcess($destination, "Dropping server role $rolename")) { try { Write-Verbose "Dropping server role $rolename" $destserver.roles[$rolename].Drop() } catch { Write-Exception $_ } } } } If ($Pscmdlet.ShouldProcess($destination, "Creating server role $rolename")) { try { Write-Output "Copying server role $rolename" $destserver.ConnectionContext.ExecuteNonQuery($role.Script()) | Out-Null $destserver.Refresh() $destserver.roles.Refresh() $newrole = $destserver.roles[$rolename] try { $rolemembers = $role.EnumMemberNames() } catch { $rolemembers = $role.EnumServerRoleMembers() } foreach ($rolename in $rolemembers) { if ($destserver.logins[$rolename] -ne $null) { $newrole.AddMember($rolename) } } if ($sourceserver.versionMajor -ge 9 -and $destserver.versionMajor -ge 9) { # These operations are only supported by SQL Server 2005 and above. # Securables: Connect SQL, View any database, Administer Bulk Operations, etc. $perms = $sourceserver.EnumServerPermissions($($rolename)) foreach ($perm in $perms) { <# SO HARD. I must be overthinking this. Here's some equivs for database level. It's hard to find $permissionset1 = New-Object Microsoft.SqlServer.Management.Smo.ObjectPermissionSet([Microsoft.SqlServer.Management.Smo.ObjectPermission]::Select) $permissionset1.Add([Microsoft.SqlServer.Management.Smo.ObjectPermission]::Select) $hrschema = $database.Schemas["HumanResources"] $hrschema.Grant($permissionset1, $dbrole.Name) $permissionType = $perm.PermissionType $permissionState = $perm.PermissionState if ($perm.PermissionState -eq "Grant") { $permstate = 0 } else { $permstate = 1 } $permissionSet = New-Object Microsoft.SqlServer.Management.Smo.ObjectPermissionSet([Microsoft.SqlServer.Management.Smo.ObjectPermission]::$permissionType) #identify permission $permissionSet = New-Object Microsoft.SqlServer.Management.Smo.ObjectPermissionSet([Microsoft.SqlServer.Management.Smo.ObjectPermission]::Connect) if (PermissionState) $role.Grant($permissionSet, $rolename, 1) #grant permission $endpoint.Grant($permissionSet, $endpointAccount) PermissionType : ALTER Grantee : Endpoint-Admins GranteeType : ServerRole Grantor : BASE\ctrlb GrantorType : Login PermissionState : Grant ColumnName : ObjectClass : Endpoint ObjectName : endpoint_mirroring ObjectSchema : ObjectID : 65536 #> $permstate = $perm.permissionstate if ($permstate -eq "GrantWithGrant") { $grantwithgrant = $true; $permstate = "grant" } else { $grantwithgrant = $false } $permset = New-Object Microsoft.SqlServer.Management.Smo.ObjectPermissionSet($perm.permissiontype) If ($Pscmdlet.ShouldProcess($destination, "Performing $permstate on $($perm.permissiontype) for $rolename")) { try { $destserver.PSObject.Methods[$permstate].Invoke($permset, $rolename, $grantwithgrant) Write-Output "Successfully performed $permstate $($perm.permissiontype) to $rolename" } catch { Write-Warning "Failed to $permstate $($perm.permissiontype) to $rolename" Write-Exception $_ } } # for Syncs $destperms = $destserver.EnumServerPermissions($rolename) foreach ($perm in $destperms) { $permstate = $perm.permissionstate $sourceperm = $perms | Where-Object { $_.PermissionType -eq $perm.Permissiontype -and $_.PermissionState -eq $permstate } if ($sourceperm -eq $null) { If ($Pscmdlet.ShouldProcess($destination, "Performing Revoke on $($perm.permissiontype) for $rolename")) { try { $permset = New-Object Microsoft.SqlServer.Management.Smo.ObjectPermissionSet($perm.permissiontype) if ($permstate -eq "GrantWithGrant") { $grantwithgrant = $true; $permstate = "grant" } else { $grantwithgrant = $false } $destserver.PSObject.Methods["Revoke"].Invoke($permset, $rolename, $false, $grantwithgrant) Write-Output "Successfully revoked $($perm.permissiontype) from $rolename" } catch { Write-Warning "Failed to revoke $($perm.permissiontype) from $rolename" Write-Exception $_ } } } } } } } catch { Write-Exception $_ } } } } END { $sourceserver.ConnectionContext.Disconnect() $destserver.ConnectionContext.Disconnect() If ($Pscmdlet.ShouldProcess("console", "Showing finished message")) { Write-Output "Server role migration finished" } } } |