Is SQL Server sensitive to Domain group name? Like "Domain Admin"?
I have user that belong to "myDomainDomain Admin" group. Group is in SQL as sysadmin but user cannot login using domain credentials. When I move that user to a different domain group which that group is in SQL again as sysadmin my user is able to login.Â
Environment: SQL 2008 Standard Edition.Â
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any  password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
View 6 Replies View RelatedI want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
Based on our database infrastructure, we need to secure our SQL databases. The security issue concerns on allowing a limited number of Domain Admin users to access the SQL databases.
We tried certain ways, based on the documents in the Microsoft web site, but we couldn€™t reach to the point of preventing the Domain Admin users accessing the SQL databases.
Thanks in advance.
I have a server that has 20 databases . I have tested with few users with different level of access and all of them were able to connect to the server and also see, select, update , delete from a particular database which is kind of weird because they do not have a user login associated or mapped to that database. I checked and no user is part of any group in AD that would give them permission to connect . I need a query that would find the permission path of a user. I already queried with xp_logininfo but I am not getting any thing.
View 9 Replies View RelatedI have a server that belongs to domain 'a'. The server is neither a PDC or BDC.
This server has SQL Server 7 installed. I wanted security set up so the
Domain Administrator could select/update rows in the database and administer
the database as well as the local administrator of the Sql Server. From a
workstation the domain administrator can create tables but cannot insert rows.
From the Server in question the domain administrator can create tables and
insert rows. Why does it make a different what box the domain adminstator logs on to?
I have to give three users read access to a database.  My manager told me to map them to a User called "zxDatabase.Read.ug". I scripted the User and got this...
CREATE
USER[zxDatabase.Read.ug]
FORLOGIN[zxDatabase.Read.ug]
I don't see a Login at the server level named zxDatabase.Read.ug, so this is confusing. Where is this login in SSMS?
How do I map my three users to user zxDatabase.Read.ug. Or am I not understanding correctly? Do I just add there windows login to the database as Users and configure them the same as zxDatabase.Read.ug
we have an application which lets users connect to production database with windows credentials, They are able access the sql tables too with windows login. I want to restrict them from accessing the sql tables. How do I do that.?I tried a db_deny but that prevented them from accessing the application too.
View 10 Replies View RelatedWe have an existing SSRS server, and have just created a new child domain. We'll be migrating users from the parent to the child, and want to add the users of that new domain with access to SSRS. In the parent domain they are able to access, but after migration with the child domain account, they cannot.
I have added the group CHILDDomain Users with a system user role on SSRS, and PARENTDomain Users was already there.
Is there any additional step I should/could take to get this active?
I am trying to revert back to Windows 7 after upgrading to Windows 10, however it will not let me and the following message occurs: "Remove new accounts.Before you can go back to a previous version of Windows, you'll need to remove any user accounts you added after the most recent upgrade. The accounts need to be completely removed, including their profiles.You created one account (NT SERVICEMSSQLSERVER) Go to Settings> Accounts> Other users to remove these accounts and then try again".However I did not create any new users and there are no other users listed in the Accounts section.
View 2 Replies View RelatedHi Team,
In SQL Enterprise Manager, when we expand "Database -->Users", we see the
users there. When we expand "Security --> logins" we see the same users there.
Can you differentiate these two.
Thanks
Santhosh
A couple of newbie questions:
1) Do Domain Admins have SA rights by default in SQL7? If so, is there a way to keep domain admins out of particular databases.
2) Is it possible to create a database or table that even SA can't get into?
Thanks
JD
We are currently in the process of migrating users from a NT 4.0 domain to a win2k Domain. On some of our SQL Servers the Windows Authenticated users own objects within the database. These Windows Authenticated users also own SQL Server Job and DTS Packages. Once these Windows Authenticated users are moved over to the Windows 2000 Domain they have to qualify there database objects, they can not see their SQL Server Jobs they created and they cannot modify the DTS Packages they previously created. Is their a tool or script out there that can fix this problem of moving the Windows Authenticated users smoothly over to the new domain.
View 3 Replies View RelatedI have a problem that im using Active Directory in Win2k Server, when domain users logon to workstations they can't open sql server databases, SQL server is local installed on Workstation and operating system is XP.
When i give administrator rights to users the sql server works fine.
Tell me is there is a way to use sql server without giving to the user administrative rights?
thanks
Hi ,
We are using SBS2000 with SQL 2000 and Terminal server .
In the Terminal server ,we have an application that connect to sbs (sql) .
The Problem is that User without Domain Admin permission can not modify in database.
How Is it possible to grant full access to SQL2000 without giving users domain admin access?
Thanks ,
Samuel
I have several access databases in mind to migrate to SQL server. I installed MS SQL 2005 Express on my machine. I will have procedures to run with authorizations beyond that of a common user, such as database administrative work where server agent is not available, I may rely on users' log-on prompt to do some maintenance work. However, I cannot get the EXEC AS 'DomainUser' to work. The procedures can be created OK. But whenever they are called, the following message shows up:
Msg 15404, Level 16, State 19, Procedure XXX, Line 0
Could not obtain information about Windows NT group/user 'DomainUser', error code 0xea.
I tried to tweak with the account under which the server service is running. There are three options under built-in account: Local system, Local service, and Network Service. My understanding is that Network Service will use the log-on of the current user of the computer. I have admin right of the computer. None of the three options work. Additionally, when I specify an account (my own account), it's the same thing.
The procedure xp_logininfo always fails when I query a specific domainuser.
The ADHelper is configured to run manually.
I could not think of other ways to get a possible solution. Any help is much appreciated.
Hello,
is it possible to deactivate the groups admins and domain-admins in sql server without getting in trouble with the sql-server. For example when the system boots the program should start normally without any problems.
We want do deactivate the accounts because we have some critical information in sql server and dont want to give all admins the possibility to have a look at these data.
We just want to have sa within the role sysadmin.
Regards
Franz
We are using Win2k3 R2 with SQL 2000 in a domain environment.
Is it possible to create a domain group to grant admin level and user level access to SQL2000/2005 without giving users server admin or domain admin access?
It has always been my impression that to have admin access to SQL that you had to at least had admin level access on the server.
Any clarification would be greatly appreciated.
Thanks!
We have purchased an ERP system from a vendor which uses system DSN for all the reports. The system automatically creates DSN with Sa with SQL Server. The problem is the DSN is not working with AD users.
Active Directory server: Windows Server 2008 32 Bit.
SQL Server: Windows Server 2012 64 Bit. This server is already member of my Domain. e.g. CompDomain.com
What should I need to do in client PCs or Server to avail ODBC to AD users.
I created a SSRS Reports in SQL Server 2012 and deployed in server, I want this report to be accessed by one particular User created in that hosted server and any time if user hits the Report URL it asked for login Prompt.Suppose if I create a Windows User "ReportUser" in report server , I want when user hits the URL he should be able to access the report by providing the 'ReportUser" credentials.
View 7 Replies View RelatedWe have a problem authenticating domain users contained in local machine user groups across multiple web servers in a scale out deployment.
When we originally setup our single SSRS database server we were told the a best practice is to add domain users to local user groups on the SSRS machine.
Now we want to add more web servers and create a scale-out deployment. So, we added the web servers and configured the scale-out deployment. But, only administrators can see the reports since all of our SSRS roles are assigned permissions such as "Machine1User_Group".
We were told that we have to create identical local groups on Machine2 and Machine3 and then add them to the SSRS roles. This is prohibitive since it would mean managing 3 identical user groups containing thousands of domain users.
Is there a better way to do this without using Domain User Groups?
Thank you for any assistance.
We've encountered a problem on one of our SQL servers running integrated security where MS Security Manager errors out with "An error occured executing sp_addlogin using Domain_nameusername - " is not a valid name since itbegins with an invalid character." We think it is because the domain has the underscore character in it name. Can anyone confirm or point to other possible configuration issues?
View 1 Replies View RelatedWould it be possible to disjoin the SQL Server Clustered environment to a new domain without having to reinstall the cluster?
disjoin
e.g 2 node activeactive cluster with 4 named instances. SQLserver1.dn.za; SQLserver2.dn.za; SQLserver3.dn.za;SQLserver4.dn.za
servernode1.dn.za; servernode2
re-join them as SQLserver1.dn.ra; SQLserver2.dn.ra; SQLserver3.dn.ra;SQLserver4.dn.ra
servernode1.dn.ra; servernode2.dn.ra
What would be the impact on the servers, will they be able to resolve the new dns.?
I am trying to connect as follows:
Server: Windows 2003, SQL 2005, on a domain
Client: Windows 2008 Beta, not on any domain
I created an account with the same user name as the domain user on the client machine. And then I logged in as that user and went to Manage Network Password. I entered the correct domain credentials. Verified that this worked for file shares. However, SQL does not appear to be recognizing this and it tells me:
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
I have verified that this domain account is working properly with SQL when the client is also on the domain.
How can I get this Windows authentication scenario to work where the client is not on the domain and the SQL server is on the domain?
Does anybody know if it is possible to establish a connection to an sql express instance only with integrated security when this express instance is running on XP which is NOT part of a domain?
View 1 Replies View RelatedOriginally posted this in the performance point forum, the error actually occurs if link direct to the reporting web site as well. The reports are being created in the report builder, from the web service.
-----
Attempting to add a report services report into a performance point dashboard page. Everything is installed on one box.
When the admin logins load the page, everything works great.
When a non-admin loads the page, everything except the report generates, and the following error kicks off:
An error has occurred during report processing. (rsProcessingAborted)
Cannot create a connection to data source 'dataSource1'. (rsErrorOpeningConnection)
Login failed for user '####'
The user login in question has been given browse access to everything in the report services web. I'm not sure where or how to grant whatever access is necessary for this to work properly.. and really I was hoping that any authenticated user at the dashboard level would be able to view the report so I didn't have to do security twice.
Can anyone point me in the right direction?
I am running into a weird issue with a new SQL Reporting Services 2014 server I built. I installed SQL Reporting 2014 on Windows Server 2012 R2 and configured Kerberos, but the site is extremely slow. After some reconfiguration and log captures I have determined the issue has to do with the Kerberos setup, however I am running a similar configuration with SQL Reporting Services 2008 on Windows Server 2008 R2 and do not run into the same errors.
The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH. When I drill down the into the error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services, however I still receive the error.
Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name, ECTSTSQLRS5, and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure how to resolve it. Here is some more information about my environment:
DNS/URL used: testprjmnmtreports14.company.com
Server Name (FQDN): ECTSTSQLRS5.company.int
AD Domain Name: company.int
Server Version: Windows Server 2012 R2
AD Functional Level: 2008 R2
As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2. What do I need to do to allow my new site on 2012 R2 to work with this DNS Alias?
I have DBA that is convinced that they need domain admin rights to install SQL 2005 into an existing cluster. The domain groups and service accounts for SQL have been created already. Is having domain admin rights required during the install of SQL 2005 in a cluster?
View 1 Replies View RelatedI doing some testing with security and ran into the following problem.I want to log into the SQL server (from Query Analyzer) using mydomain account. To allow this, I went into Logins section inEnterprise Manager and added my user account as a Windows User.If I set Analyzer to use Windows authentication I am to log in with noproblems. But if it is set to SQL Server authentication and I type inmy username (in the format domainusername or username@domain) andpassword I get a login error.Is there a way to login in to SQL using domain account without usingwindows authentication?Thanks,Jason
View 2 Replies View RelatedMy VB.net application manipulates data in a local SQL Express database. When the app is installed, the database does not exist, but it cannot be created at run-time by anyone other than a user with administrator privileges. In addition, the application shares the data stored in SQL with a critical 3rd party component that can only reach the database via named DSN (also not existing prior to installation).
I see my primary SQL security options as being:
(1) Use SQL or Mixed Mode authentication with an admin-level username/password combination, or
(2) Create a db user/group with admin-level privileges and grant membership to all NT authenticated users
Secondary problem: Creating the DSN.
Does it make sense to create a Custom Action (.dll) that is called at the end of the installation process in order to create the database, the user security context and the named DSN?
Am I overlooking some built-in functionality provided by Visual Studio 2005 that will accompish some or all of this for me? I am aware that customizing the 'silent' installation of SQL Express to use a different authentication mode requires manifest tweaking -- I just don't know anything about setting up the appropriate security for this situation. Would you put the db and role creation stuff in a SQL script and execute it post-install?
Thanks in advance for any insight you can provide.
-T
Hi,
When we generate a report with an account that is in the admin group it takes 2-3 seconds but when we do it with another user it takes over 2 minutes... any reason for this?
(The "Report is being generated" thing, by the way)
Not sure if my question is clear, I've been looking and searching for the past 2 hours but can't find anything remotly close to that problem... any help would be appreaciated!
Thanks
Can I get ordinary users to create reports rather than admin using a web browser interface?
View 2 Replies View RelatedIm developing a ASP.NET website. Recently we were required to move the databse from localhost to another server. I'm able to connect to the other server database from SQL 2005 management studio with windows authentication. However when I try to do it in ASP.NET it says error: login failed for domain/server$. I have declared the connection string in web.config file.
View 7 Replies View Related