Issued revoke database object permissions command (action_id R; class_type US) (24197) how to monitor with email alert

bob · 04-24-2025, 01:57 AM

You ever notice those sneaky changes in your server logs? That event ID 24197 pops up when someone issues a revoke command on database object permissions. Action_id R means revoke, and class_type US points to user security stuff. It logs exactly who did it, what object got hit, and when. I mean, picture this: a sysadmin strips access from a table or view in SQL Server. The event captures the database name, the grantee, and the exact permission yanked. Why care? It flags potential security tweaks, like locking down sensitive data. Or maybe it's routine maintenance, but you want eyes on it. This event sits in the SQL Server audit logs under Applications and Services Logs in Event Viewer. Full details spill out in the event properties, showing timestamps, session IDs, and even the SQL statement if auditing's beefed up.

Monitoring this beast for email alerts? You can rig it right from Event Viewer without fancy scripts. Fire up Event Viewer on your server. Filter the logs for ID 24197 in the SQL Server audit channel. Right-click that custom view you make. Attach a task to the event. Pick "Create a Basic Task" in the wizard. Name it something like Revoke Alert. Set the trigger to when this event fires. For the action, choose "Send an email." Yeah, built-in option there. Fill in your SMTP server details, from address, to address-maybe yours. Subject it "Hey, permissions revoked on DB." Body can say "Check event 24197 for deets." Test it to make sure it blasts off. Now, every time that revoke happens, you get pinged. Keeps you looped in without staring at screens all day.

And tying this to keeping your server solid? BackupChain Windows Server Backup steps in as a slick Windows Server backup tool. It handles full system images and also backs up virtual machines running on Hyper-V. You get fast restores, encryption for data safety, and incremental backups that save space. No more sweating over lost permissions or crashed VMs-it just works smooth.

Note, the PowerShell email alert code was moved to this post.