A user account retains database role assignments after you remove the user account from the "Accounts with Access to the Search Services" box on the Manage Shared Services page in SharePoint Portal Server 2003 (827854)

SYMPTOMS

In your server farm deployment of Microsoft Office SharePoint Portal Server 2003 that is configured to use shared services, you may find that when you remove a user account from the Accounts with access to the Search Services box in the Direct Access to Search Service area of the Manage Shared Services page, that user account retains the following Microsoft SQL Server 2000 database role assignments:

The public role and the db_owner role on the profile database (SiteName_PROF) and the component settings database (SiteName_SERV) of the parent portal site.
The public role on the configuration database of the parent portal site.

CAUSE

When you add the name of one or more user accounts to the Accounts with access to the Search Services box in the Direct Access to Search Service area of the Manage Shared Services page, the user account or user accounts that you specified are assigned the following rights and database roles:

Query rights to the index management servers and search servers on your server farm.
The public role and the db_owner role on the profile database (SiteName_PROF) and the component settings database (SiteName_SERV) of the parent portal site.
The public role on the configuration database of the parent portal site.

With these rights, the user account on the child server farm can access search and indexing resources on the parent server farm. When you remove a user account from the list of user accounts in the Accounts with access to the Search Services box, query rights to the index management servers and the search servers on your server farm are removed from the user account. However, SQL Server database role assignments are retained.

WORKAROUND

To work around this behavior, use SQL Server Enterprise Manager to manually remove access to the profile database (SiteName_PROF), the component settings database (SiteName_SERV), and the configuration database of the parent portal site for the user account that you removed from the Accounts with access to the Search Services box of the Manage Shared Services page. To do so, follow these steps:

On the server that is running SQL Server, start SQL Server Enterprise Manager.
Expand Microsoft SQL Servers, expand SQL Server Group, expand (local) (Windows NT), and then expand Security.
Click Logins.
In the right pane, right-click the name of the user account, and then click Properties.
Click the Database Access tab.
Remove access to the profile database (SiteName_PROF), the component settings database (SiteName_SERV), and the configuration database of the portal site that provides shared services. To do so, follow these steps for each database:
1. Under Specify which databases can be accessed by this login, click the name of the database that you want to remove access for.
2. Click to clear the Permit check box next to the name of the database, and then click OK.
In the right pane, right-click the name of the user account, and then click Delete.
Click Yes when you are prompted to confirm that you want to remove the login.
Quit SQL Server Enterprise Manager.

MORE INFORMATION

For more information about how to configure shared services in a server farm deployment of SharePoint Portal Server, see the "Shared Services Deployments" topic in the "Deployment Scenarios" section of the Microsoft Office SharePoint Portal Server 2003 Administration Guide. The Microsoft Office SharePoint Portal Server 2003 Administration Guide (Administrator's Help.chm) is located in the Docs folder in the root of the SharePoint Portal Server 2003 CD.

For more information about SharePoint Portal Server, visit the following Microsoft Web site:

http://www.microsoft.com/office/sharepoint/prodinfo/default.mspx