1.设置当前Windows用户角色
sql
-- 1. 在 msdb 中为登录名创建用户(如果尚未存在)
USE msdb;
CREATE USER [登录用户] FOR LOGIN [登录用户];
-- 2. 加入只读角色(关键!)
ALTER ROLE SQLAgentReaderRole ADD MEMBER [登录用户];
USE msdb;
CREATE USER [SKYL\winning] FOR LOGIN [登录用户];
GRANT SELECT ON dbo.sysjobs TO [登录用户];
-- 如果还需作业步骤、历史等,继续授权:
GRANT SELECT ON dbo.sysjobsteps TO [登录用户];
GRANT SELECT ON dbo.sysjobhistory TO [登录用户];2.创建备份脚本
命名为:monthly_backup_config_audit.ps1
修改实例名
vbscript
# 启用严格模式和错误停止
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
try {
Write-Host "开始月度备份任务..." -ForegroundColor Green
# --- 原有逻辑放在这里 ---
$DateStr = Get-Date -Format "yyyy-MM"
$BackupRoot = "C:\DB_Backups\Monthly_Audit_Config\$DateStr"
$SqlServerInstance = "localhost" # ← 请根据实际修改,可以用ip,端口!
# 创建目录
$null = New-Item -ItemType Directory -Path $BackupRoot -Force
# 导入模块(关键!)
Import-Module SqlServer -ErrorAction Stop
# 1. 导出配置数据(T-SQL 查询结果保存为 CSV)
$ConfigQueries = @{
"Logins.csv" = "SELECT name, type_desc, create_date, is_disabled FROM sys.server_principals WHERE type IN ('S','U','G')"
"ServerRoles.csv" = "SELECT sp.name AS login, sr.name AS role FROM sys.server_role_members rm JOIN sys.server_principals sp ON rm.member_principal_id = sp.principal_id JOIN sys.server_principals sr ON rm.role_principal_id = sr.principal_id"
"LinkedServers.csv" = "SELECT name, product, provider, data_source FROM sys.servers WHERE is_linked = 1"
"Jobs.csv" = "SELECT name, enabled, date_created FROM msdb.dbo.sysjobs"
"ConfigSettings.csv" = "SELECT name, value,value_in_use, minimum, maximum, description FROM sys.configurations ORDER BY name;"
}
foreach ($file in $ConfigQueries.Keys) {
$query = $ConfigQueries[$file]
$outputPath = Join-Path $BackupRoot $file
Invoke-Sqlcmd -ServerInstance $SqlServerInstance -Query $query -OutputAs DataTables | Export-Csv -Path $outputPath -NoTypeInformation -Encoding UTF8
}
# 2. 复制默认跟踪文件(如果启用)
try {
$traceResult = Invoke-Sqlcmd -ServerInstance $SqlServerInstance -Query "SELECT path FROM sys.traces WHERE is_default = 1"
if ($null -ne $traceResult -and $traceResult.Count -gt 0) {
$DefaultTracePath = $traceResult[0].path # 安全取第一行
if ($DefaultTracePath) {
$TraceDir = Split-Path $DefaultTracePath -Parent
if (Test-Path $TraceDir) {
$TraceFiles = Get-ChildItem -Path $TraceDir -Filter "log_*.trc" |
Sort-Object LastWriteTime -Descending |
Select-Object -First 5
foreach ($f in $TraceFiles) {
Copy-Item $f.FullName -Destination $BackupRoot -ErrorAction SilentlyContinue
}
Write-Host "默认跟踪文件已备份。"
}
}
} else {
Write-Host "默认跟踪未启用,跳过跟踪文件备份。" -ForegroundColor Yellow
}
}
catch {
Write-Host "获取默认跟踪路径失败:$($_.Exception.Message)" -ForegroundColor Yellow
}
# 3. 复制 SQL Server Audit 文件(如有)
$AuditPath = "C:\Audits\" # 替换为您实际的 Audit 文件路径
if (Test-Path $AuditPath) {
$AuditFiles = Get-ChildItem -Path $AuditPath -Filter "*.sqlaudit" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddMonths(-1) }
foreach ($af in $AuditFiles) {
Copy-Item $af.FullName -Destination $BackupRoot
}
}
# 4. (可选)导出 Windows 登录事件(最近30天)
$EventLogPath = Join-Path $BackupRoot "LoginEvents.evtx"
wevtutil epl Application $EventLogPath /q:"*[System[Provider[@Name='MSSQLSERVER'] and (EventID=18456 or EventID=18453)]]"
# 5. 压缩归档(可选)
Compress-Archive -Path "$BackupRoot\*" -DestinationPath "$BackupRoot.zip" -Force
Remove-Item -Path "$BackupRoot\*" -Exclude "*.zip" -Recurse
Write-Host "? 月度配置与审计备份完成: $BackupRoot.zip"
Write-Host "备份成功完成!" -ForegroundColor Green
}
catch {
Write-Host "脚本执行失败:" -ForegroundColor Red
Write-Host $_.Exception.Message -ForegroundColor Yellow
Write-Host "堆栈跟踪:$($_.ScriptStackTrace)" -ForegroundColor Gray
pause # 防止窗口关闭,便于查看错误
}3.测试备份
-
按
Win + R,输入powershell,回车 → 打开 PowerShell 控制台 -
手动执行脚本
vbscript
cd C:\Scripts
.\monthly_backup_config_audit.ps1查看备份目录是否有文件,如果有的话,即成功,否则需要排查问题;
4.创建任务计划
-
打开 任务计划程序
-
创建任务 → 名称:
Monthly SQL Config & Audit Backup -
触发器:每月(如每月1号 2:00 AM)
-
操作:
-
程序:
powershell.exe路径 -
参数:
-ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Script\monthly_backup_config_audit.ps1"
-
-
"常规"选项卡:
-
使用最高权限运行
-
选择专用服务账户(如
svc-sqlbackup)
-