We are using Win2k3 R2 with SQL 2000 in a domain environment.
Is it possible to create a domain group to grant admin level and user level access to SQL2000/2005 without giving users server admin or domain admin access?
It has always been my impression that to have admin access to SQL that you had to at least had admin level access on the server.
Any clarification would be greatly appreciated.
Thanks!
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
View 6 Replies View RelatedHi All hope you can help.I have a SQL 2k Standard Ed. SP3 server that is in mixed securitymode.I have logged into EM with the sa account.Then added a Active Directory group (i.e. DomainDBAdmins) to theSystem Administrators for that server.When I try and modify the SQL server registration in EM to use trustedauthentication instead of sa I get a connection failed. Any ideas?Thanks,
View 3 Replies View RelatedI am interested if anyone can point me to "best practices" regarding thelevel of administrative authority a SQL Server database administrator shouldhave. Alternatively, I'd be interested hearing what level of authority onthe server you/your SQL Admin has. I have been told that in order to dotheir job, a database admin needs full admin authority on the operatingsystem in a Microsoft environment, but I find that hard to believe.Thanks.
View 1 Replies View RelatedHello,
I have been given the responsibility of administering and trying to maintain an enterprise level database (currently 20GB in size) without local admin privileges on the server that houses my database. Is there any documentation available that can either help me get my job done, or help me convince my supervisors that my position requires that level of access?
I understand the concern about the local admins being able to "do whatever they want", as well as the effort to reduce the amount of risk exposure to major accidents. I just want to be able to do my job effectively.
We have applications connected to SQL using windows authentication. While having connection with Application user can also access to Database instance on the same time as well. We need to limit the access of user outside application.
View 6 Replies View RelatedHow do I grant a specific access to a schema. I have a request to grant a ddl access to a schema called Business_Banking.
View 1 Replies View RelatedI have SQL Server 2014 (Enterprise) on Server A. The service runs under DomainAAdmin.
The Client machine is B, User credentials DomainBUser.
DomainBUser has a share on B that contains a BCP data file. DomainAAdmin has full access to this file.
If I log onto A (the server machine) with either DomainAAdmin or DomainBUser credentials, and run SQL Server Management Studio with Windows Authentication I can run BCP sucessfully using the following:
BULK INSERT [MyTable] from 'Bsharedatafle.tsv' WITH ( KEEPNULLS , KEEPIDENTITY ) However, if I log onto B, (the client machine and the machine hosting the share) and try to run the same bcp command, I get "Access is Denied".
I try to connect from a pc to a SQL Server on another pc. Both pc’s are in a workgroup. I want to connect from a Windows Forms application to a named instance on the other computer. By now I have been able to connect from one pc to SQL Server on the other with tcp:smurfin, 52782.
I want to be able to use servernameinstancename (instead of portnumber) to make a connection in a Windows Forms application.
I’ve checked / tried te following:
•In the properties of the instance, tab Connections, the option Allow Remote Connections is enabled
•In Configuration Manager: TCP is enabled
•The service SQL Server Browser is started
•On the tab IPAddresses, in the section IPAll, there is NO portnumber for TCP Port. And TCP Dynamic Ports has the nummer 52782
•I have created un inbound rule for port 52782 and also for 1434 (SQL Server Browser). And to be on the save side: a rule for 1433 as well.
•Restarted the service
If I run the following code in SQL Server, that same port number (52782) is returned:
EXEC xp_ReadErrorLog 0, 1, N'Server is listening on', N'any', NULL, NULL, 'DESC'
GO
SELECT local_tcp_port
FROM sys.dm_exec_connections
WHERE session_id = @@SPID
[Code] ....
While running Sql 2014 upgrade advisor against a 2005 remote sql server. Below is the error im getting:
"Could not populate SQL Instances: System.Security.SecurityException: Requested registry access is not allowed"
Its able to connect SQL 2005 DB server and its also populating all the required Databases, but when i'm tring to click Run at the last step above error is coming. I even installed SQL 2012 upgrade advisor in my system and getting the same above error.
However if i use SQL 2008 upgrade advisor and connect to SQL 2005 server im not getting any error.The tool is generating successfully all the Pre and Post upgrade issues.
I'm running the tool with Run as administrator option. Is there any specific change i need to do in my system so that the tool runs successfully.
I have a user, who is trying log into the server, but everytime he gets this error saying something about the Group policy denies him access.
This user needs access and i'm trying to understand how to grant it to him.
I have been looking into how i can access the group policy editor, but the farthest i can get is the Local group policy editor. How do i make sure this specific user has access?
I'm trying to create a job that will copy a backup file from a mapped network drive to a local folder however it keeps failing due to a privilege.
The command is:
copy 10.10.10.5f$ est.nightly H:MSSQLBackup est.nightly
I can run the command successfully from the command prompt, however using the same command in a SQL Server job it fails with "Access is denied".
How do I configure the mapped network drive to allow the Sql Server Agent to get access to it?
My sa account can not see the tables in the db. but can connect to the server
View 2 Replies View RelatedSQL server job or SP to deny access to an AD login for certain period of time to SQL server instance...i.e. to deny access to login ADxyz from 12 PM to 10 PM and revoke access to same login at 10:01 PM...
View 3 Replies View RelatedHi AllI am getting an access denied message when I launch the Virtual Serveradministration screen, however I can connect through the Virtual Machineremote connectivity without any problems. Please help, I upgraded my memoryand need to change setting though Virtual Server Adminitration screen.Is there a way around this issue!Thank you in advance,James--Message posted via http://www.sqlmonster.com
View 3 Replies View RelatedI have 3 servers taking part in an AlwaysOn AG.
I want to grant a user READ access to only one replica, and certainly not to the principle.
How do I go about doing this?
I have a Windows Server 2012 R2 2 node cluster with SQL Server 2014 FCI installed. Data files are on a separate Windows Server 2012 R2 file server. Data files share has been permissioned to the SQL Server service and SQL Server Agent service accounts as Full Control. NTFS Permissions are Full Control.
When I try to attach a database
CREATE DATABASE AdventureWorksDW2012
ON (FILENAME = 'apricotmssql_VIOLETMSSQL12.MSSQLSERVERMSSQLDATAAdventureWorksDW2012_Data.mdf')
FOR ATTACHI get this error:
Msg 5120, Level 16, State 101, Line 4
Unable to open the physical file "apricotmssql_VIOLETMSSQL12.MSSQLSERVERMSSQLDATAAdventureWorksDW2012_Data.mdf". Operating system error 5: "5(Access is denied.)".
If I log into the file server (called APRICOT) and look at the NTFS permissions they all look good. I have also reapplied the NTFS permissions from the root folder down.
EDIT
If I log on to one of the nodes in the cluster as the SQL Server service account and navigate to apricotmssql_VIOLETMSSQL12.MSSQLSERVERMSSQLDATA and copy and paste the data file, it works fine.
EDIT2:
If I log on to the file server and Enable Inheritance at the root level, then Replace all child objects with inheritable permission entries from this object, I get this error:
User Account Control settings on all nodes and the file server are set to Never notify
I've recently started working with a public sector organisation who have 4 clustered sql instances that has 80% of it's db mirrored.
Looking at the transaction log - it seems that a transaction log backup is a good idea as the log is 4x larger than the data file.But I'm not allowed access to the physical server to check onto which drive I can create the trn. No RDP, no vmware - let's be honest I'm not even allowed to launch cmd line Also the Server Manager informs me "We will need to carefully look at database backups if you guys want to start doing these backups on box, as that will break our off box backup routine (it will screw the transaction chain)."
I don't understand how backing up the transaction log could break the "transaction chain"?
We are upgrading from SQL 2008R2 to SQL2014 but we have discovered that a couple of our applications are not supported on 2014. We'd like to keep one 2008R2 server and one 2014 server until we have time to upgrade the applications and move everything to the new server. The problem is we have custom code in some of the 2014 databases that access tables in the 2008 databases.
I know we can easily do cross server joins by using a linked server, but it would be a huge undertaking to find all that code and add a linked server name in front of every table, stored procedure, etc. So my question is, is there any way to move a database to a different server and still be able to access it without having to qualify the object names with a linked server? Is there some kind of server/database synonym that can be setup that would be recognized by all databases?
hello,
i have a simple question and i am not familiar with sql7.
HOW can we access sql 6.5 databases from the admintools installed with sql 7.0. Is it necessary to install additionaly to the 7.0 Admintools the 6.5 components also?
can somebody help for that?
thanks
klaus
How do I grant admin access to a windows account withou having them a part of the administrators group...
I need to give a user access to every report on the server and the ability to administrate the application side of the server but I cannot give them Administrative access to the machine as a whole. I added the user to the system administrators role in team services but this did not allow here to see all the reports. How does she get access to all the reports without being in the Windows local Administrators group?
Thanks
Chris
We have SBS2003 and SQL2000 is running on it. Recently we built a trips database and
Installed trips application on it but the problem is that only the administrator can run Trips application. Other domain users cannot get access to the new trips program. I added the users on database and double checked.
When normal user logs on, these messages show up:
Message 1:
"MS sql Server login
Connection failed:
SQLState: '01000'
SQL Server Error: 53
Microsoft ODBC SQL Server Driver DBNETLIB ConnectionOpen (Connect()).
Connection failed:
SQLState: '08001'
SQL Server Error:17
Microsoft OBDC SQL Server Driver DBNETLIB SQL Server does not existor denied."
Message 2:
"File dbo.control could not be opened. Error (r=100).
Press OK to end this application."
Any advance is welcome.
Peter
On a given Analysis Server the machine level OLAP Administrators group controls which users have admin access to AS Databases and Cubes on that machine. From everything I have read, if you are in the OLAP Administrators group you have full access to administer ALL the databases and cubes.
We have a need to create a OLAP database and grant a few users (a role) full admin access to create and maintain datasouces and cubes within that database but NOT allow them admin access to the other existing databases and cubes on the server. This seems like such a common requirement. Has anyones else encountered and resolved this issue.
Thanks,
Tony
I am newbie to SQL.I need to create an application will run on server, and of course will be installed by using admin user. I can use the install user to access to database on that server?
View 1 Replies View Relatedi have an asp.net web application that uses SQL2000 backend. any users login to the application using a proper SQL login. so each user has unique logins
One of the roles within the application is to allow the user to create new logins for the application which inturn creates a SQL login. for this i have been using the following special sp's within an application specific sp:-
EXEC sp_addlogin @strUsername, null, 'WEA_MIS', @loginlang
EXEC sp_grantdbaccess @strUsername, @strUsername
EXEC sp_addrolemember @strRole, @strUsername
EXEC sp_password NULL, @strPassword, @strUsername
the only way ican get this to run is if the user executing the sp is a member of sys admin, ideally i dont want to be giving anyone access to sys admin. i thought security admin would allow me to do the above but it doesnt. Is there any other ways or ideas to get around this problem
Cheers,
Craig
Do I need admin access on my computer to Run or manage an SSIS Package?
if i dont have admin access on my computer, what functionality of SSIS i cannot use?
I am using a standard installation of SQL 2005 Express installed with Visual C# Express. I have tried several connection strings, have tried connecting different databases, all of which end up giving me access denied for user <machineName>Greg (Greg is the local admin account for this PC. I found this guideline for connectivity questions (http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=362498&SiteID=1), and have gone through it all, posting the answers to questions here. One thing that may be different about this machine is that it is a tablet PC (WinXP Tablet edition) and I am running VMWare Server. I also tried loading it on a WinXP Pro workstation with no VMWare, and have gotten the same results. Any help will be greatly appreciated.
My connection string:
@"Server=(local);Integrated Security=SSPI;Database=Database1");
Client error message:
Cannot open database "Database1" requested by the login. The login failed. Login failed for user 'GREGBORGGreg'.
Client is local to the SQL 2005 Express - this is an application running on a local PC.
I am able to ping -a GREGBORG (as well as localhost)
I am able to telnet to port 1433 of my local machine, although Ctrl+[ does not give me an SQL prompt
I am using ADO.NET 2.0 and Visual C# 2005 Express
I have enabled Shared memory, named pipes and TCP/IP.
I have no alias' configured, and am not requiring encryption.
=========================
I am using SQL 2005 Express loaded on Windows XP tablet edition.
The SQL browser is not enabled, and it says that it has no enabled devices associated with it.
SQL Server is running under the Network System account
I have tried running it firewalled and not firewalled
I am running Clamwin anti-virus
From the ERRORLOG:
2007-01-03 12:29:56.19 Logon Error: 18456, Severity: 14, State: 16.
2007-01-03 12:29:56.19 Logon Login failed for user 'GREGBORGGreg'. [CLIENT: 10.101.1.200]
From the command prompt I get:
C:Documents and SettingsGreg>osql -E -S (local)sqlexpress
1> use Database1
2> go
Msg 911, Level 16, State 1, Server GREGBORGSQLEXPRESS, Line 1
Could not locate entry in sysdatabases for database 'Database1'. No entry found
with that name. Make sure that the name is entered correctly.
When I try to attach Database1 in my 'My Documents' folder, it says that access is denied to the file.
I added a user via SQL Management Studio Express and then received the error:
C:Documents and SettingsGreg>osql -S gregborgsqlexpress -U Greg -P ********
1> sp_attach_db "Database1", "C:documents and SettingsGregMy DocumentsVisual
Studio 2005Projects est_SQL est_SQLDatabase1.mdf"
2> go
Msg 5133, Level 16, State 1, Server GREGBORGSQLEXPRESS, Line 1
Directory lookup for the file "C:documents and SettingsGregMy
DocumentsVisual Studio 2005Projects est_SQL est_SQLDatabase1.mdf" failed
with the operating system error 5(Access is denied.).
1> use northwind
2> go
Msg 945, Level 14, State 2, Server GREGBORGSQLEXPRESS, Line 1
Database 'Northwind' cannot be opened due to inaccessible files or insufficient
memory or disk space. See the SQL Server errorlog for details.
In the ERRORLOG I have:
2007-01-03 12:38:27.25 spid51 Error: 5173, Severity: 16, State: 1.
2007-01-03 12:38:27.25 spid51 One or more files do not match the primary file of the database. If you are attempting to attach a database, retry the operation with the correct files. If this is an existing database, the file may be corrupted and should be restored from a backup.
2007-01-03 13:07:16.82 spid51 Using 'xpstar90.dll' version '2005.90.1399' to execute extended stored procedure 'xp_instance_regread'. This is an informational message only; no user action is required.
2007-01-03 13:09:24.68 Logon Error: 18456, Severity: 14, State: 8.
2007-01-03 13:09:24.68 Logon Login failed for user 'Greg'. [CLIENT: <local machine>]
2007-01-03 13:09:27.43 Logon Error: 18456, Severity: 14, State: 8.
2007-01-03 13:09:27.43 Logon Login failed for user 'Greg'. [CLIENT: <local machine>]
Again, thank you for any help. I think I may have been staring at this too long to be productive any more...
--Greg
I am developing a package to restore a database from backup file on a remote server. I am having problems accessing the remote backup file when it is addressed via the admin share, in this case N$. It runs okay if a specific share is created but for some unknown reason fails via the adminshare.
I am executing the package job with a proxy account that is a member of the local administrators group on the remote server.
It appears that access via a remote admin share isn't possible from within a SSIS package. Is this the case?
Would it be possible to disjoin the SQL Server Clustered environment to a new domain without having to reinstall the cluster?
disjoin
e.g 2 node activeactive cluster with 4 named instances. SQLserver1.dn.za; SQLserver2.dn.za; SQLserver3.dn.za;SQLserver4.dn.za
servernode1.dn.za; servernode2
re-join them as SQLserver1.dn.ra; SQLserver2.dn.ra; SQLserver3.dn.ra;SQLserver4.dn.ra
servernode1.dn.ra; servernode2.dn.ra
What would be the impact on the servers, will they be able to resolve the new dns.?
I just setup a developer as a site admin in SSRS, he has administration rights to the site and also rights on folders that contain reports. He can access the reports folders no problem, however when he tries to access the "Home" folder he get's the error shown below.
UAC is switched off an other people are able to access this ok.
I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
I am running into a weird issue with a new SQL Reporting Services 2014 server I built. I installed SQL Reporting 2014 on Windows Server 2012 R2 and configured Kerberos, but the site is extremely slow. After some reconfiguration and log captures I have determined the issue has to do with the Kerberos setup, however I am running a similar configuration with SQL Reporting Services 2008 on Windows Server 2008 R2 and do not run into the same errors.
The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH. When I drill down the into the error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services, however I still receive the error.
Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name, ECTSTSQLRS5, and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure how to resolve it. Here is some more information about my environment:
DNS/URL used: testprjmnmtreports14.company.com
Server Name (FQDN): ECTSTSQLRS5.company.int
AD Domain Name: company.int
Server Version: Windows Server 2012 R2
AD Functional Level: 2008 R2
As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2. What do I need to do to allow my new site on 2012 R2 to work with this DNS Alias?
Hi,
We have the followoing:
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master)
-A sql server 2005 on a win server 2003 in "sub domain" AD
-A linked server to "sub domain" AD
-A linked server login using a "sub domain" admin acccount
-A view to this linked server
-A grant on masterDomain/Domain Users to the database
-A grant on subDomain/Domain Users to the database
-We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts.
Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT *
FROM OPENQUERY(ADSI,
'SELECT displayname, givenName, sn, cn (etc...)
FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com''
WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
EXEC sp_addlinkedsrvlogin @rmtsrvname ='ADSI', @useself='false',
@rmtuser='subDomainAdminAccnt', @rmtpassword='sunDomainAdminAccntPassword';
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error:
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".