Current: One common SQL login is being used by SQL DBA on all the servers
New Plan: Creating one windows AD group, adding the DBA's to that group and create as a login with sysadmin server access on all the SQL Server boxes
how to achieve this activity. Creating SQL login is fine but how to change the ownership of various objects, jobs to new login on all servers?
We are using Windows authenication within our system, and I was wondering how it would be possible to determine if the user conected to the SQL SERVER instance was a member of a particular active directory security group?
Thanks.
I have a test environment set up at home with a small windows server 2003 Active Directory domain. I created a windows security group on the dc and added myself and another user to the group. I then use this group as a login for SQL Server and add the login to the sysadmin server role. This works exactly as I would expect on the Windows Server computer (which is also the Domain Controller) regardless of which computer I use to connect to this Windows Server computer. However, when I set up the exact same login on the local sql server instance of my client laptop running windows xp pro, the I get an error message (Login failed for user MYDOMAINdgolds...) when I attempt to connect to the local instance of SQL server, even though I am able to connect to the instance on the domain controller with no problems using this same client laptop under the same user account. The only way I am able to connect locally on the laptop under this account (which does not have local admin privileges on any box, for testing purposes) is to add the user account separately as a login, rather than as part of a group. I'm curious as to why being a member of a security group that is part of the sysadmin server role does not allow me to connect to the local instance of SQL Server on this client laptop. The windows server computer is running SQL2k5 Enterprise, and the client laptop is running SQL2k5 developer. Any insight into this would be appreciated.
Thanks,
Dave
Is there a way that we can tell what active directory group the person belongs to that is running the report? I know that you can detect a user id, but I need to access the Active Directory Group that they belong to.
View 1 Replies View RelatedHow do you limit access to data based on Active Directory group membership and/or SQL Server database access?
View 1 Replies View RelatedI am having some issues adding user logins to SQL Server. When Isearch for users in Active Directory from Security->Logins->New Login,I can search for and add users using the short name (samaccount, exdomainabcde). However, when I search for users using their CA name(ex. domaninfirstname.lastname), the user is not found.Is there some setting that needs to be activated in SQL Server to seethe CA name as well as the samaccount name, or is this an issue thatmust be resolved on the domain controller.I would appreciate any insight.Thanks,Matt
View 2 Replies View RelatedIs it possible to check for Active Directory group.. ie see if the user running the Stored Proc, is in a specific Active Directory Group? Or if I set up Login's using Active Directory, can I get the Login that way... or will it give me the user's account?
View 6 Replies View RelatedI am working on the security model for an application that will be used by 100s of users with a dedicated SQL 2005 database for this application and access via SQL XML Web Services.
The client has asked to make it "open" during alpha testing such that anyone can access the web services without having to set them up first. Is there a way to do this? The best I can figure is to use mixed mode security and hard code a login and password. Any method using Windows authentication would require that I add every user at a minimum to the database.
In production, all users will have an active directory role specified that determines if they should have access to the web services or not. However, it is my understanding that to use Windows authentication, I would still need to add each individual user at a minimum as a Login to the SQL Server, and under best practices also as database users with permissions granted to the endpoint.
Am I correct in the above, or is there a more efficient way to achieve these results?
Thanks
-L
My question is I have a SQL Server running on Web Server which is a member of a 2000 Active Directory, I only grant access to the database via Global Groups from the Active Directory. When I log onto the database via Windows Authentication the actual user shows up in the master.dbo.sysprocesses table, I can tell what database that process is going to but not how that user is being translated to the Global Group that was actually given access. I need the actual database user name which is the Global Group name that had permissions granted via user defined database roles so that I can do some pre-processing in an ASP.NET application so that I know what parts of a form are updatable or not.
View 1 Replies View RelatedFor code reuse, I am trying to get a table valued function to return users of a given AD group name. I can easily get this with hard-coding the group name. But because OpenQuery wont accept parameters, I can't insert my group name there. And because functions can't call dynamic SQL, I can't do it via dynamic sql. I have seen people do it with CLR, but I rather not go that route. I can use a stored procedure + cursor and iterate through each group and store the results into real tables and create a cache, but I rather query Active Directory itself to save space, but I rather do the caching then the CLR. Any approach I am missing on how to do this?
The following works fine:
SELECT DISTINCT sAMAccountName
FROM OPENQUERY(ADSI, 'SELECT sAMAccountName, sn
FROM ''LDAP://OU=SomeOU,OU=SomeOtherOU,DC=SomeDC,DC=SomeOtherDC''
WHERE objectCategory=''Person'' AND objectClass=''USER'' AND memberOf=''CN=SomeGroupName,OU=SomeOU,OU=SomeOtherOU,DC=SomeDC,DC=SomeOtherDC''') a
WHERE sn IS NOT NULL
The following gives me the error:
Invalid use of a side-effecting operator 'EXECUTE STRING' within a function.
CREATE FUNCTION [dbo].queryADGroupMembers
(
@group nvarchar(255)
)
RETURNS @rtnTable TABLE
[Code] .....
Hello,
I am fairly new to SQL 2005 and Reporting Services.
We are trying to create a report that will display sales data based on group membership from Active Directory.
For example, if USER1 logs in and looks at a Year to Date Sales report, it will only show data that pertains to his group. If USER2 logs in and accesses the same report, it will display different Year to Date information because he is in a different group.
Background Information: We are running SQL 2005 Enterprise Edition Service Pack 2 with Analysis and Reporting Services. We are delivering the reports through a Sharepoint site.
Please let me know if anyone has a good way to tackle this.
Thanks,
Justin
I have a server that has 20 databases . I have tested with few users with different level of access and all of them were able to connect to the server and also see, select, update , delete from a particular database which is kind of weird because they do not have a user login associated or mapped to that database. I checked and no user is part of any group in AD that would give them permission to connect . I need a query that would find the permission path of a user. I already queried with xp_logininfo but I am not getting any thing.
View 9 Replies View RelatedIs there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions.Â
View 4 Replies View RelatedHas anyone used this successfully from an OLEDB source component, or even from the Execute SQL Task? I've seen some examples of using a script component, but nothing that uses it through a connection manager.
View 6 Replies View RelatedHello,
We use local server windows groups to allow or disallow use of our SQL databases. We are now being asked to move off of our current server. My thoughts are to dettach and attach the database. What is going to happen to all my permissions based on the user groups of our old server? I intend to create the same group names on the new server but they will be newservergroupname as opposed to oldservergroupname. Is it just a case of scripting the database user, roles and object level permissions an manually changing oldserver to newserver?
We are seeing login failures for windows accounts. Below is the error message.
Description:Â In our env most logins are windows accounts. Initially we thought it is an UAC issue and we tried to launch the SSMS using "Run as Administrator". However, we are seeing login failures.
Enviroment:
Microsoft SQL Server 2014 - 12.0.2402.0 (X64)
RTM Enterprise Edition (HyperVisor)
Error Message in Error Log :
2015-08-10 22:36:45.290 Logon       Error: 18456, Severity: 14, State: 11.
2015-08-10 22:36:45.290 Logon       Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
2015-08-10 22:41:23.470 Logon       Error: 18456, Severity: 14, State: 11.
2015-08-10 22:41:23.470 Logon       Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
Troubleshooting done:
- Recreated the windows login in sql server. Doesn't work.
- ran sp_valdidatelogins. it doesn't return any rows.
- I belong to sysadmin role and when I say, getting below error message.
xp_logininfo 'domainloginname'
/*
Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
Could not obtain information about Windows NT group/user 'domainloginname', error code 0x5.
*/
We tried dropping this account and re-creating the windows account with same permissions but still result is same.It throws same error message. Login failure message !!!
Hello,I am putting together a row level security plan for our salesdatabase. I will give a brief description of the method I am thinkingof using to give you an idea of how I will need to be able to discoverthe group or login the user is using to access the data.I have a table called salesfact, it has all the sales info for all thebranches of our company. Each order(row) that is inserted has an entryin the division_number column to describe which branch the orderbelongs to. I have created another table(Branch_Folks) that has fourcolumns; username, windows_group, SQL_Login and division_number.I am using a view and SQL logins to control access to the data basedon the user, the SQL logins give windows groups access to the view.Only users that are added to the specific branch groups will haveaccess to the logins, but if a user is added to the group without mebeing notified, then he will not have a corresponding entry in theBranch_Folks table. Currently I am using the SUSER_SNAME() function todetermine which user is accessing the data from the view that I havecreated. The view uses this select statement to filter the data basedon the user & division.Select * from tsalesfact A, Branch_Folks B where SUSER_SNAME() =B.username and A.division_number = b.division_numberThis method works fine, but I will have to manually maintain the userlist in the Branch_Folks table in case a new user joins the windowsbranch group. I would like to use a function similar to SUSER_SNAME()that can determine the windows group or SQL Login a user is using.Does anyone know of a way to do this??Thanks a ton,Tim
View 1 Replies View RelatedIn my DB (SQL 2012) one windows authentication is created automatically and a schema is created exactly automatically that this user is owner of this schema. (e.g the user is domainx and schema exactly domainx).
I created a DDL Trigger on my DB to find out who and how it is created , but I didn't get any useful information.
I change the owner of schema that I can delete the schema and after that delete the user, and sometimes because the user is owner of a service , I have to alter the owner of the service to DBO and delete the user , but again and again exactly this user and schema (e.g domaninx ) are created as soon as I delete it.
I have read these topics : [URL] .... and [URL] .... but can't solve my problem.
Hello Everyone,
I am trying to connect SQL database through code but I get this error,I have spent days to solve it but unfortunately I couldn't...Here is my code in VB express(OP:windows 2000 with SP4)I am new to VB,so it makes the situation more difficult for me.
my code is:
Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim conn1 As SqlConnection = _
New SqlConnection("Data Source=.SQLEXPRESS;" & _
"Integrated Security=SSPI;" & _
"database=deneme3_database;")
'Open connection
conn1.Open()
MessageBox.Show("Connection succeeded.")
'Close connection
conn1.Close()
MessageBox.Show("Connection closed.")
End Sub
The error message is,it is in german but it is clear I guess:)
" Die von der Anmeldung angeforderte "deneme3_database"-Datenbank kann nicht geöffnet werden. Fehler bei der Anmeldung.
Fehler bei der Anmeldung für den Benutzer 'ADPLANatalay'. "
Thank you in advance!
Can
I have created a database fronted by an ASP.Net application. It's all nice and simple, and I only need a very simple level of security (and even that is only as a protection against accidents rather than maliciousness). My intention is that users connect using Windows impersonation (<identity="true">), with the database creator having full access and the public group (I'm talking SQL groups here) having specific premissions granted on specific tables.
If I set <identity="false"> on my XP box the application connects to the database as [MACHINEASPNET]. This is easy to set up access for - I simply do a
CREATE LOGIN [MACHINEASPNET] FROM WINDOWS
and then within the actual database do a
CREATE USER [MACHINEASPNET]
But as I said, I want to use Windows impersonation. When I set <identity="true">, the application correctly attempts to connect as the actual Windows user account (e.g. [MACHINE estuser]). If that user is the user who installed the database, then all is well and it has full access. For anything else, I get a "cannot log on" error - this much I expect.
So I want to permit logins for all other users, and I want this to work regardless of whether the machine is a standalone machine whose "domain" is simply the machine's own name, whether it is in some form of traditional peer-to-peer workgroup, or whether the machine is connected to a real domain. I also want it to work on XP and Windows Server 2003 (and ideally Vista also, but that can wait). When I try the following:
CREATE LOGIN [MACHINEUsers] FROM WINDOWS
I get this error:
Msg 15401, Level 16, State 1, Server MACHINESQLEXPRESS, Line 1
Windows NT user or group 'MACHINEUsers' not found. Check the name again.
Nor does it work with [Everyone] (that one has no domain/folder listed against it in any permissions dialogs on my domainless development PC). So I'm stuck and confused. It's taken me ages just to get this far. Any suggestions anyone?
Thanks in advance.
Hi, Happy New Year!
I have been struggling with this problem for a while with SQL 2005. I have never had such login problem with SQL 2000. Here is the scenario:
I have installed SQL2005 standard version on a XP Pro box and I am trying to access it from another XP Pro machine. I can access it using a SQL user name and password that I set up on the server, but I have not had luck with using Windows NT Integrated security. When I try to connect to it (e.g. by a UDL file), I get an error saying Login failed for user €˜HP-AMD64Guest€™ where €˜HP-AMD64€™ is the name of the PC running the SQL 2005. I can access the files on the machine without any problem. I do not understand why it uses €˜Guest€™ that is not what I use to log on my machine. Does anyone have any clue to offer me?
Thank you in advance!
h
Hi all:
I have created a linked server that connects a SQL 2000 database to a SQL 2005 database. If I use individual SQL or Windows accounts as local logins on the SQL 2000 instance, I can successfully query the linked SQL 2005 database.
(For security we use the setting "For a login not defined in the list above, connections will: not be made")
If I try to use a Windows group as the local login, remote queries fail with the error
"Access to the remote server is denied because no login-mapping exists"
Is it not possible to use a Windows group for the local login of a linked server?
If I run 'exec sp_linkedservers' the setup appears valid
Linked Server Local Login Is Self Mapping Remote Login
SQL2005Serv DomainBRubble 0 SQL_Read_Access
SQL2005Serv DomainWindows_Group 0 SQL_Read_Access
SQL2005Serv DomainFFlintstone 0 SQL_Read_Access
Thanks in advance
Grant
Deleting a Login from a server instance and adding it back did not show that the login was still mapped to databases. In SQL Server 2008, adding a Windows Login did not permit access to end user databases until the Windows Login was mapped to various databases. In SQL Server 2012, once a Windows Login is added to SQL Server Security, it may access ANY end user databaseWe use the following to circumvent this problem, Windows Login by Windows Login: DENY VIEW ANY DATABASE TO [TESTTest1]
View 6 Replies View RelatedHi
I am new to SSIS and have the following problem. I used the following script to clear data in columns of any CR/LF/Commas and char(0)'s. Can I just transfer this to SSIS and how exactly do I do that? Any help or advice would help.
Function Main()
Dim x
For x=1 to DTSSource.count
If Isnull(DTSSource(x)) = False Then
DTSDestination(x) = replace(replace(replace(Replace(DTSSource(x) , chr(13),""),chr(10),""),chr(0),""),","," ")
Else
DTSDestination(x) = DTSSource(x)
End If
Next
Main = DTSTransformStat_OK
End Function
Andre
If we have a "pool" SQL login, a one that uses SQL Server authentication, and this login is used by different domain account to access SQL Server, is there a way to audit which domain account used that "pool" login to do something on a object in SQL Server? I have to keep this way of accessing SQL Server, so how to create a login for every domain account accesses SQL Server
View 7 Replies View RelatedHi all,
Now I want get AD value(e.g file path),how can I get this value from AD?
Thanks
Hie,
Someone can tell me haw can i do in order to migrate my server sql to active directory.
What is the step
Hello,
I have recently upgraded my the server that runs SQL Server to an Active Directory Domain Controler. Now I can't connect to the SQL Server from ASP.NET Applications when the application is not located on the local machine. The error message I get is SQL Server does not exist or access is denied.
I have no problems connecting with QueryAnalyer and Enterprise Manager from my workstation. I have added the Sql Server to the directory via the "Active Directory"-tab in the Property window for my Sql Server Registration i Enterprise Manager.
If I copy a directory from the wwwroot on my workstation to the server the application has no problem to connect so the connectionstring seams to work fine.
Any ideas?
Regards,
Kalle
hi,
we have recently completed an upgrade to 2000 server and now have AD on our network.
How do i go about querying this from any of my SQL 2000 servers?
I have found a few websites that mention adding a linked server. I have never done this and am not sure how to query a linked server, if that is the way to go.
can anyone offer some advice please?:confused:
TIA
A little background, We have a DEV Server running SQL Server 2000. This is the first of many to be migrated from out NT Domain to our new AD (active directory Domain). All Domain user accounts have already been migrated.
When they migrated this first Server running SQL Server, I am getting the following error when I try to make the owner of a job (any job) run by the SQL Server Agent a domain account in the new AD - when I switch the ownership back to our old NT Domain, it works fine.
I am getting this error:
The job failed. Unable to determine if the owner (domainusername) of job testjob has server access (reason: Could not obtain information about Windows NT group/user 'domainusername'. [SQLSTATE 42000] (Error 8198)).
note that this is happening to all windows authenticated sql server accounts on this Server. All of these account are in the local Admin group on the Server.
Does anyone know what needs to be done in SQL Server to make the AD migration seemless???? I need to try and find this out before we begin migrating Production Servers. Thank you!!
Hi folks,
I'm try'n to find out if i need active directory for sql2000 if my primary network is running on windows2000? What are the pros and cons? Thanks!
Joe R.
Hi!
I want to write a trigger that add a new computer account in my active directory when I do an Insert in my MSSQL table.
I know how to use SELECTstatements using LDAP but I want to do a INSERT statement. Is that even possible?
Can you write vb code directly in SP i mssql 2000?
What I think I have to do is to have a vbscript that does the adding then call the script using exetended SP cmd execute passing the name to the script.
If someone has a another solutions please let me know!
Regards..
Hi there,
Is it possible to, somehow, get a specific users password from active directory? The reason I ask is that I am writing a new system and really don't want the users having to remember yet another password, but rather be able to use there network password? I would like to write the logon section myself and not use any built in functions that anything may have.
Please can someone advise. I don't think it is possible but have been asked to persue the issue.
Thanks