dbatoolsCopy-DbaServerRole
View SourceSynopsis
Migrates custom server roles and their permissions between SQL Server instances
Description
Copies user-defined server roles from the source server to one or more destination servers. This is essential when migrating SQL Server instances that use custom server roles for granular permission management, or when standardizing security configurations across multiple environments.
Only custom (user-defined) server roles are copied by default. Fixed server roles like sysadmin, serveradmin, etc. are built into SQL Server and cannot be created or dropped. Use -IncludeFixedRole to also synchronize memberships for fixed roles.
Server role permissions and memberships are migrated along with the role definition. This includes server-level permissions granted to the role (like CONNECT ANY DATABASE, VIEW ANY DATABASE) and login memberships in the role.
By default, existing server roles on the destination are skipped to prevent conflicts. Use -Force to drop and recreate existing roles, which will also reapply all permissions and memberships.
Syntax
Copy-DbaServerRole
[-Source] <DbaInstanceParameter>
[[-SourceSqlCredential] <PSCredential>]
[-Destination] <DbaInstanceParameter[]>
[[-DestinationSqlCredential] <PSCredential>]
[[-ServerRole] <Object[]>]
[[-ExcludeServerRole] <Object[]>]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Copy-DbaServerRole -Source sqlserver2014a -Destination sqlcluster
Copies all custom server roles from sqlserver2014a to sqlcluster using Windows credentials. If roles with the same name exist on sqlcluster, they will be skipped.
Example: 2
PS C:\> Copy-DbaServerRole -Source sqlserver2014a -SourceSqlCredential $scred -Destination sqlcluster -DestinationSqlCredential $dcred -ServerRole "CustomRole1" -Force
Copies only the custom server role named “CustomRole1” from sqlserver2014a to sqlcluster using SQL credentials. If the role exists on sqlcluster, it will be dropped and recreated because -Force was
used.
Example: 3
PS C:\> Copy-DbaServerRole -Source sqlserver2014a -Destination sqlcluster -ExcludeServerRole "TestRole" -Force
Copies all custom server roles found on sqlserver2014a except “TestRole” to sqlcluster. If roles with the same name exist on sqlcluster, they will be updated because -Force was used.
Example: 4
PS C:\> Copy-DbaServerRole -Source sqlserver2014a -Destination sqlcluster -WhatIf -Force
Shows what would happen if the command were executed using force.
Required Parameters
-Source
Source SQL Server. You must have sysadmin access and server version must be SQL Server version 2012 or higher.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value |
-Destination
Destination SQL Server. You must have sysadmin access and the server must be SQL Server 2012 or higher.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value |
Optional Parameters
-SourceSqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-DestinationSqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-ServerRole
Specifies which server roles to migrate from the source server. Only the specified roles will be copied to the destination.
Use this when you need to migrate specific custom roles rather than all of them, such as when standardizing only certain security roles across environments.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-ExcludeServerRole
Specifies which server roles to skip during migration. All custom server roles except the excluded ones will be copied.
Use this when you want to migrate most roles but exclude problematic ones, or when certain roles are environment-specific and shouldn’t be copied.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Force
Drops and recreates existing custom server roles on the destination server, reapplying all permissions and memberships from the source.
Use this when you need to update server role permissions that have changed on the source, or when synchronizing role definitions across environments.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-WhatIf
If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
| Property | Value |
|---|---|
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
-Confirm
If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
| Property | Value |
|---|---|
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |