Does Security Admin Have Access To Create Logins Using Sp_addlogin
May 31, 2007
i have an asp.net web application that uses SQL2000 backend. any users login to the application using a proper SQL login. so each user has unique logins
One of the roles within the application is to allow the user to create new logins for the application which inturn creates a SQL login. for this i have been using the following special sp's within an application specific sp:-
EXEC sp_addlogin @strUsername, null, 'WEA_MIS', @loginlang
EXEC sp_grantdbaccess @strUsername, @strUsername
EXEC sp_addrolemember @strRole, @strUsername
EXEC sp_password NULL, @strPassword, @strUsername
the only way ican get this to run is if the user executing the sp is a member of sys admin, ideally i dont want to be giving anyone access to sys admin. i thought security admin would allow me to do the above but it doesnt. Is there any other ways or ideas to get around this problem
Cheers,
Craig
View 5 Replies
ADVERTISEMENT
Mar 22, 2007
How do I grant admin access to a windows account withou having them a part of the administrators group...
I need to give a user access to every report on the server and the ability to administrate the application side of the server but I cannot give them Administrative access to the machine as a whole. I added the user to the system administrators role in team services but this did not allow here to see all the reports. How does she get access to all the reports without being in the Windows local Administrators group?
Thanks
Chris
View 2 Replies
View Related
Jun 19, 2015
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
View 6 Replies
View Related
Aug 27, 2015
I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
View 0 Replies
View Related
May 12, 2015
Is there a way i can grant a windows authenticated user say abcadam privilege:
-> to create, execute and alter the stored procedures that will be created by him only:
Point is we do not want the user to execute alter or modify other stored procedures out there for that DB
View 13 Replies
View Related
Sep 6, 2007
We are using Win2k3 R2 with SQL 2000 in a domain environment.
Is it possible to create a domain group to grant admin level and user level access to SQL2000/2005 without giving users server admin or domain admin access?
It has always been my impression that to have admin access to SQL that you had to at least had admin level access on the server.
Any clarification would be greatly appreciated.
Thanks!
View 1 Replies
View Related
Apr 13, 2007
I have created a site using VWDExpress and now that I’ve finished testing have moved it over to the server which runs SQLServer 2000. Part of the site requires login, so I created the membership using the ASP.net web configuration tool and when testing locally worked well.
Now though that I’ve copied the web site over, when I try to log in I get the error:
System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified
Obviously its some sort of configuration issue, but I don’t know what.
What do I have to change to make this work from a test machine to a live server?
Thanks
View 19 Replies
View Related
Feb 20, 2008
what are these userid in the security-logins , if i delete them what is the impact and if they are available what is the use
ServernameSQLServer2005MSFTEUser$Servername$MSSQLSERVER
ServernameSQLServer2005MSSQLUser$Servername$MSSQLSERVER
ServernameSQLServer2005SQLAgentUser$Servername$MSSQLSERVER
View 3 Replies
View Related
Nov 3, 2014
Query to show logins that don't have any permissions within the SQL instance? I'm tasked with doing some cleanup and have found some cases where the database was deleted or moved to another server but the logins that used it were not deleted. I'd like to identify them to research.
For instance a query to show logins that have no permissions in any of the existing databases would be handy. I'm thinking it would be complicated by the need to loop through all of the existing databases and then outer join it to the list of instance level logins. Going to try to write something like that but was hoping that a script already exists.
View 3 Replies
View Related
Jun 20, 2015
I should audit all access by dba (italian privacy law) in my sql server , what is the best way?
Using the build in audit i can't achieve this goal, do i miss something?
My sqlserver use windows auth.
View 9 Replies
View Related
Jan 30, 2014
How to query in SQL to retrieve all the disabled Windows Users which are available as records(only) in the SQL Server ?
View 9 Replies
View Related
Oct 12, 2007
Using a backup and recovery method i have moved databases from sql server 2000 to sql server 2005.
I have found orphand users for each database after moving
Found orphand users from the statement below
use databasename
fo exec sp_change_users_login 'Report'
to fix i did the following
EXEC sp_change_users_login 'Auto_Fix','Mary',NULL,'Password'
go
exec sp_changedbowner 'sa','dbo'
go
then set db chaining to true
exec sp_dboption 'databasename','db chaining','true'
Now in the management studio i login with sql server authentication using username and password.i get the error mentioned below.
But using 2005 management studio i login with sql authentication to 2000 database it works fine.
Why is this error??
How to i test id all my logins are working fine.
TITLE: Connect to Server
------------------------------
Cannot connect to SQL-CENTRALInstanceSQL2005.
------------------------------
ADDITIONAL INFORMATION:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=233&LinkId=20476
------------------------------
BUTTONS:
OK
------------------------------
please let me know
View 9 Replies
View Related
Mar 30, 2006
Right im getting slightly annoyed LOL
We have an MSSQL 2005 box in the shared hosting environment now the amount of attacks we receive every hour is a crazy amount. The usual stuff as below
Login failed for user 'sa'. [CLIENT: ]
Now i can simply block the ip's in ipsec but the amount of attacks is crazy and its taking all my time to keep track of them all, i know its just websites, automated tools etc, mssql is set to lock accounts after 4 invalid logins, well to make security sense i renamed the sa account as its default on most servers.
What i want to know is after so many attacks why can't mssql implement ipsec security on its own and block the client ip, come on after 20 attempts you know the IP is brute forcing the accoutn in question.
Any advice people?
Its a high performance server but it doesnt need brute force attacks against it all day long, LOL.
View 3 Replies
View Related
Jan 7, 2015
I am trying to write a sql script that will basically test logins for Windows NT Similar to when you bring up SQL Studio, and do run as windows NT I want to ensure my rights are not removed from SQL Servers and if so send my nice DBA an email.
How to do the connect as ? and check my permission is still set to access database with db_datawriter, db_datareader etc
View 2 Replies
View Related
Nov 9, 2007
From my desktop in Management Studio (MS) I can connect to server A and run a query like,
select top 1 * from serverB.mydatabase.dbo.mytable, and all seems to be working. If I leave and come back after a few minutes it no longer works and I get this error:
Msg 18452, Level 14, State 1, Line 1
Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
If I remote connect to server B and run the query it works and when I try it from my desktop MS it starts working again. Any ideas on why this is happening?
View 8 Replies
View Related
Oct 14, 2005
Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.
View 9 Replies
View Related
Jul 9, 2001
I have created 2 SQL logins for use in connecting to an SQL server database (v7) from my web server. My idea is that one login (WebAdmin) would be assigned the db_owner role and one login (WebPublic) db_datareader and db_datawriter roles.
However, I have run into a problem. Only one of the logins works. The other generates an "Invalid object name" error. The login that works is the login that is listed as the owner in the SQL Server Enterpise Manager Tables pane. Even if the other login has a db_owner role in the user properties box.
Can anyone tell me what is going on?
My code looks something like this:
<%
Set CN=Server.CreateObject("ADODB.Connection")
CN.Open "Driver={SQL Server};SERVER=<ip address>;UID=<either WebAdmin or WebPublic>;PWD=<appropriate password>
Response.Write "Connection Opened!<BR>"
[this part works in both cases]
Set RS=Server.CreateObject("ADODB.Recordset")
RS.Open "Select * from map_gallery_primary_geographies", CN,3, 3
[this generates the "Invalid object name" error for the login that is not listed as owner in the Enterprise Manager]
Response.Write "Value of the first field's record: " & RS(0)
View 2 Replies
View Related
Jan 21, 2007
ok, first, I know... I forgot to run a backup of the master database, and I forgot to run a script to caputure logins. Not that that is out of the way... I need to recreate the logins under the Securities tab below the databases. All the company databases have the user names and passwords assigned to them, but they are not able to login, because they are not able to authenticate to the SQL server first.
Is there a script that someone has that will copy the company database security info for the users and recreate them in the SQL security tab?
I know that I can rebuild them manually, but I need to delete them first in the application software, then delete them from the databases, and then recreate them in the application software... and as simple as that sounds... it is a slow moving process.
Any assistance would be greatly appreciated.
Thanks,
John
View 3 Replies
View Related
Oct 3, 2005
I like the new gig a lot. Real busy, smart folks and I have been in high demand since 5 minutes after my butt hit the chair. I already have code in production.
Anyhow, we have a security situation on the sql servers I pointed out on my first day. So they want me to roll everything over to Windows Authentication and give the developers and report writers more restricted rights inside SQL Server. So they have NT Groups for different kinds of users and all of that jazz and I layed on the typical stuff about using NT groups vs individual accounts and ease of admin vs granularity of control. Well the boss came back and said he wants ease of admin and granularity of control over security. So, does anyone have any fresh thinking on turning my eitheror into an AND.
View 5 Replies
View Related
Sep 21, 2005
I am working with a SQLServer installation where all public permissionshave been revoked from the system.I currently hold the securityadmin and sysadmin roles to perform mylogicall access control work (creating logins and adding users todatabases and changing group memberships.)There has been a question as to whether or not I need the sysadmin roleto do my job, so we tried an experiment in dropping the sysadmin rolefrom my id.With no public permissions, I see no user information on the server,which really limits my ability to do the job.Has anyone ever worked with a super-locked-down server without thesysadmin role for doing security admin work?What I'm looking for is hopefully SQL to perform the access privilegesneeded for the security admin role by itself.Thanks in advance!
View 2 Replies
View Related
Jun 12, 2015
Is SQL Server sensitive to Domain group name? Like "Domain Admin"?
I have user that belong to "myDomainDomain Admin" group. Group is in SQL as sysadmin but user cannot login using domain credentials. When I move that user to a different domain group which that group is in SQL again as sysadmin my user is able to login.
Environment: SQL 2008 Standard Edition.
View 12 Replies
View Related
Feb 13, 2007
i want to be able to create a login to my database that cannot access the whole db but only certain tables.
how do i do this in sql 2005?
View 1 Replies
View Related
Jul 16, 2015
I have a SQL Server 2014 instance running on a SQL Server 2008 R2 server. The server is not clustered, it is just a stand alone SQL Server. The syspolicy_ purge_history job fails every now and then with the error message: "A job step received an error at line 1 in a PowerShell script. The corresponding line is 'import-module SQLPS -DisableNameChecking'. Correct the script and reschedule the job. The error information returned by PowerShell is: 'Access to the path 'PowerShell_CommandAnalysis_Lock' is denied. '. Process Exit Code -1. The step failed."
Google isn't bringing up much besides the whole"If this is a clustered server make sure you have the right server name in the command" answer, which isn't the case here. Some days this job fails and some days it succeeds. I have checked out task scheduler to see if there were any conflicts there, found nothing. Nothing in the event viewer either.
View 2 Replies
View Related
Feb 24, 2015
I am new to SQL Server and I am trying to create a script / possible a cursor that will allow me to create multiple logins in one pass - without having to type each one.
I have 20 users USER1, USER2, USER3, USER4... but I can't seem to figure out how to get those users into a loop
so I can end up with something like this.
CREATE LOGIN <user> FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[English]......
I realize I can type this statement 20 times but perhaps there is a faster way -
View 3 Replies
View Related
Feb 2, 2007
Our company has 2 Database Roles (DBE and DBA). The DBE creates
database schema, performs SQL Server Administration, and manages server
security. The DBA writes data access, ETL, and manages database
security. In 2005, we're struggling with how to allow the DBA to see
all of the logins on the server in order to add them as users of their
database. What permissions does the DBA need to select from any of the
logins on the server to add them to their database?
Michelle
View 1 Replies
View Related
May 21, 2014
how does security works between availability groups.
ex if i create an object and grant permissions to a user will that be replicated to secondary replica .
View 4 Replies
View Related
Jan 21, 2015
SSISDB 2014 - Enabling CLR - Is there are kind of security risks for enabling CLR when creating SSISDB?
View 0 Replies
View Related
Aug 11, 2015
SQL2008R2...Have a SPID that started yesterday and contained a command to drop a server audit. This did not finish (after 3hrs) so I killed the SPID. Problem is it's still there (sp_who2) and I think it's now blocking access to viewing editing logins within SSMS as I'm getting "Lock request time out period exceeded. (Microsoft SQL Server, Error: 1222)" when double clicking a login.Do I need to restart the instance as killing the "alter server" transaction (SPID=62) is not working? Code to show blocking transactions returns this.
View 12 Replies
View Related
May 14, 2008
i just want the user have the ability to do sp_addlogin.
pls help me
i successfully ran this query
grant execute on sp_addlogin to userLogin
but when i login with userLogin. It wont work
View 7 Replies
View Related
Jul 18, 2006
hi,
I have an VB .NET 2005 application which should create a database and a user on an SQL server both for SQL 2000 and SQL 2005. The last not tested yet. I use SQLConnection to comunicate with the server. I can make the database no problem, but I can't add a new user.The user that runs this stored procedure has rights to execute this procedure. When I try to use the stored procedure: "sp_addlogin" I get the following error :
"-- 'sp_addlogin' was found in the text of this event.
-- The text has been replaced with this comment for security reasons."
Does anyone have any clue what's wrong?
Thanks.
View 7 Replies
View Related
Jan 10, 2006
Hi all,
I want to add a windows user login which looks like: MachineNameUserName, however back slash "" is not allowed in ap_addlogin. With UserName only, the privileges are not granted correctly as far as I tested. How can I walk around? Any ideas? I use SQL express.
Br,
XZ
View 3 Replies
View Related
Aug 17, 2007
I've a SQL 2005 with a certain number of db.Until today i was the only admin of all dbs.Now i need to give to another admin permission to manage one specificdb (but only that).Ho censito un utente di sql con accessi abilitati solo a quel db.If i connect to Enterprise manager with that limited login there is aproblem: i see (only see)all dbs, also db where this login is not autorized.How can i work for not permitting this login to see other dbs? Heonlycan see them but idon't want because of privacy. Is it possible?
View 4 Replies
View Related
Mar 23, 2015
We log ship our production database tansaction logs to a secondary database on a separate remote domain.
Incidentally, this was not set up via the "Ship Transaction Logs" wizard, but instead we had to use the various system stored procedures after restoring a copy of the database on the remote domain in standby mode.
We now have an issue where users are unable to access the remote secondary database without having sysadmin privileges. Clearly we want to avoid this!
We want to be able to use Windows Authentication mode on the server of the secondary database. But since the two domains differ, is it possible to even achieve this?
How can we set up read-only access for users on the secondary database without giving them sysadmin privileges?
View 3 Replies
View Related
