Auditing: Is ALTER USER logged?

Question

Someone went into a controlled environment and changed the default database schema for a database user.

ALTER USER [sensitiveuser] WITH DEFAULT_SCHEMA=[sys]

Looking for an entry in the transaction logs. Apex SQL log does not appear to scan the tranlogs for this information.

Is ALTER USER a logged statement? We don't have auditing installed yet (coming soon). If it is logged, would I just have to DBCC LOG and read through all of the entries looking for ALTER USER?

Need time stamp of change and user ID of changing party if possible.

Thanks John

What did you find when you looked at `DBCC LOG` before and after running an `ALTER USER` yourself? — Martin Smith, Jul 07 '15 at 19:53
Hi - i created a tinker database on an identically configured server, added a user and then altered a user. We see this in `DBCC LOG(tinker,1)`: `0000002b:0000007c:0001 LOP_BEGIN_XACT LCX_NULL 0000:000003c3 0 0x0000 64 120 00000000:00000000:0000 0x0002 9098 ALTER USER;0x0105000000000005150000000a6e40007446c20fb13eb5202b410000` — John Tamburo, Jul 07 '15 at 20:45

score 0 · Accepted Answer · answered Jul 12 '19 at 15:36

Solved. I created a tinker database on an identically configured server, added a user and then altered a user.

We see this in

DBCC LOG(tinker,1): 0000002b:0000007c:0001  
LOP_BEGIN_XACT  LCX_NULL 0000:000003c3  0   0x0000  64  120 00000000:00000000:0000  0x0002  9098    
ALTER USER;0x0105000000000005150000000a6e40007446c20fb13eb5202b410000

Auditing: Is ALTER USER logged?

1 Answers1