Do Managed Local Accounts Remove Need For Multiple Domain Accounts
Aug 12, 2015
I cannot get a consistent answer as to how many domain accounts would be suggested in a SQL Server 2014 installation. Previously the recommendation was a separate account for each service to provide isolation and minimum permissions for each account. It seems from what I've read that a single domain account would have something added to make it unique from SQL Server's perspective. Several still advocate multiple accounts. I don't know if they are doing so because that's the way it's always been done or if there is still some compelling reason to do so. I don't want to create unnecessary accounts simply because something is "ideal."
View 8 Replies
ADVERTISEMENT
Apr 5, 2007
I have a root domain and child domain.
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
Any ideas on how to fix this ?
View 1 Replies
View Related
Jul 23, 2015
Do we still need the below service accounts in SQL 2008+ version even if we have proper SQL service accounts added in the logins?
[NT AUTHORITYSYSTEM]
[NT ServiceMSSQLSERVER]
[NT SERVICEReportServer]
[NT SERVICESQLSERVERAGENT]
[NT SERVICESQLWriter]
[NT SERVICEWinmgmt]
View 0 Replies
View Related
Jun 8, 2007
I have 4 new SQL Server 2005 installations on Windows 2003 that I configured at our main office and shipped to a hosting center. All four servers are members of our domain. I set up test datbases with replication on one of the servers and facilitated this with a domain account.
Now that I've moved the servers to the hosting center (which has a DC) and I'm not having any luck adding domain accounts to the permissions section on any of the the SQL Server boxes.
When I try to add a domain account in the SQL Server's permissions window I get "Name Not Found". By every indication the server is connected to the domain. I can log on using my domain account; I can create shares specifying domain accounts but I can't seem to add domain accounts to the SQL server permissions. When I look in the permission's tab I still see the original domain account, I had added back in the main office, stranded by itself in the list of users. We're using mixed authentication by the way.
Why doesn't SQL Server recognize the domain? Where does it get it's list of users? Does the account I'm logging in with just not have the permission to add domain accounts? These diaglogs are slightly different from the normal 'add a user' dialog boxes.
I feel like this must be a simple oversight. Any help would be appreciated. I'd prefer to move away from local accounts to keep things simple.
View 2 Replies
View Related
May 30, 2007
We're getting an error where we can't add a login with the full dns name of a user - domain.xyzuser, for example. Get an error 15401, "Windows NT user or group domain.xyzuser' not found". The domain has a different Netbios name and DNS domain names, so we can add the user when we use the form "netbiosnameuser". So far so good.
Unfortunately, we have another application - Office Share Point Server whose shared services provider won't run, giving errors in the event log every 60 seconds that "Windows NT user or group 'domain.xyzuser' not found".
It looks as if SQL insists upon listing users in the form netbiosdomainnameuser, and applications that look for domain.xyzuser simply fail to authenticate.
Suggestions?
jnfranc at yahoo period com
View 3 Replies
View Related
Jul 12, 2006
Hi There
Currently we run a certain instance , agent under local system on a server.
I want to create specific domain accounts for the sql server service and agent, now i know that one should create these accounts with the least priviledge for security reasons.
cannot find the topic in BOL, can some please give me the BOL topic or a link to exactly what the least priviledge is for the domain accounts for sql server services.
Thanx
View 4 Replies
View Related
Jul 23, 2014
Installed sql server 2012 enterprise. Runs with the built in account fine.
I tried entering a domain account to run as the service account from sql configuration it fails with the error "the specified network password is not correct".
I tried from services.msc and entered successfully but when I try to restart it fails that the log in credentials are wrong.
the domain account and password I entered are just fine. What's it I should do or missing?
View 3 Replies
View Related
Jan 18, 2008
I'm attempting to write a script that I can execute accross 30 servers that will create a domain login and subsequently grant access to said account on all databases per server. The only problem that I'm running into is trying to dymanically create the login. Example source is below.
declare @sql varchar(1000)
declare @loginname varchar(50)
select @loginname = 'DOMAINaccountname'
set @sql = 'if not exists (select * from master.dbo.syslogins where name = N' + char(39) + 'DOMAINaccountname' + char(39) + ')' + char(10) + char(13)
set @sql = @sql + 'begin ' + char(10) + char(13)
set @sql = @sql + char(9) + 'exec master.dbo.sp_grantlogin ' + quotename(@loginname)
print @sql
exec (@sql)
Here is the generated output and the error. Any suggestions would be appreciated.
if not exists (select * from master.dbo.syslogins where name = N'DOMAINaccountname')
begin
exec master.dbo.sp_grantlogin [DOMAINaccountname]
Msg 102, Level 15, State 1, Line 3
Incorrect syntax near 'DOMAINaccountname'.
View 4 Replies
View Related
May 21, 2015
My company doesn't allow using Local Service / Network Service accounts for SQL Server. So I created domain service accounts. Can multiple SQL Server installations use the same domain service accounts ?
View 4 Replies
View Related
Apr 6, 2006
Hi all,After working for weeks on a project in VB.Net, I decided to deploy atest version on a user's computer.The user's XP SP2 computer has sql server xpress 2005 installed, and myVB.net creation. Everything works without problem when the user's XPaccount is set with Administrator permissions. But when i change theuser account to Limited, the program fails with the following message:"Failed to generate a user instance of SQL server due to a failure instarting the process for the user instance. The connection will beclosed."The connection string I'm using is: "DataSource=.SQLEXPRESS;AttachDbFilename="|DataDirectory|DbTrial1.mdf";IntegratedSecurity=True;User Instance=True;Connect Timeout=30"Is there a workaround to get access for XP users with limited accounts?Many thanks :)p.s. allready tried changing in the connection string to "UserInstance=False", but then i get the error "An attempt to attach anauto-named database..... failed.. etc"And I've already tried the most common suggestion to delete the"SQLEXPRESS" folder in local settingsapplication data... but thatdoesn't do anything either :(
View 1 Replies
View Related
Oct 2, 2007
Hi,
Re: SQL Server 2005
We have defined a local administrator to be the SQL Server and SQL Server Agent services user, and is also the job step owner for some SSIS packages I am running.
My question is, isn't by default a local administrator ALSO granted sysadmin in SQL Server? According to this link, it seems to imply this:
http://msdn2.microsoft.com/en-us/library/ms143504.aspx
However, I am having some permissions problems with the local adminstrator account (i.e. SQL Server agent account) when it runs the job. The error is that it doesn't have execute permissions on sp_dts_addlogentry.
How can this be, if it's granted sysadmin?
Thanks
View 6 Replies
View Related
Jan 7, 2008
Hi There
I am doing an unattended upgrade of Sql Express with Advanced Services SP1.
Before the upgrade the services run under domain accounts.
I use the following command :
start /wait setup UPGRADE=SQL_Engine INSTANCENAME=MSSQLSERVER SQLACCOUNT=DOMAINUser SQLPASSWORD=p@ssw0rd ADDLOCAL=Client_Components,SQL_SSMSEE /qn
However after the ugrade the service accounts are running under local system.
Documentation is unclear, i find the following:
; The services for SQL Server and Analysis Server are set auto start. To use the *ACCOUNT settings
; make sure to specify the DOMAIN, e.g. SQLACCOUNT=DOMAINNAMEACCOUNT
; NOTE: When installing SQL_Engine 3 accounts are REQUIRED: SQLACCOUNT, AGTACCOUNT and SQLBROWSERACCOUNT.
; SQLACCOUNT Examples:
; SQLACCOUNT=<domainuser>
; SQLACCOUNT="NT AUTHORITYSYSTEM"
; SQLACCOUNT="NT AUTHORITYNETWORK SERVICE"
; SQLACCOUNT="NT AUTHORITYLOCAL SERVICE"
To my knowledge the <> is not required.
Can someone please help as i cannot get the services accounts to run under a domain user after upgrade.
Thanx
View 1 Replies
View Related
Jun 18, 2008
The following error keeps being reported in the Domain Controller Logs:
"There are multiple accounts with name MSSQLSvc/....."
View 1 Replies
View Related
Feb 11, 2014
I setup SQL Server 2012 on Windows Server 2012 with the service accounts in the local Administrator group, but now that I'd like to remove the accounts from this group I'm finding they don't have the appropriate access to the network storage. notes on setting the per-service SID's for SQL (SQL Engine, Analysis Services, Reporting Services, and Agent Service) so they can read the Data, Log, and TempDB mount points?
View 2 Replies
View Related
May 24, 2006
I attempted to setup database mirroring using a High Availability scenario but when I installed SQL is chose to use local system accounts for all the services. Consequently, I stubled upon a microsoft article explaining how to setup mirroring using local system accounts and certificate authentication but I am stil not able to get it to work. When I try ti initiate the mirror from the mirror server I receive an error stating "Neither the partner nor the witness server instance for database "EDENLive" is available. Reissue the command when at least one of the instances becomes available." I have checked all the endpoints and everything seems to be in order. I even checked to make sure that each server was listening on the appropriate ports and I AM able to telnet to the ports. Please help!
View 1 Replies
View Related
Mar 6, 2006
Hi,
I'm trying to make the select query attached neater by removing the list of accounts and simply providing a range. For the life of me, I can't seem to figure out how to do it. So hopefully one of you can help me out with this.
View 7 Replies
View Related
Sep 26, 2007
I am in process of setting up job failure notification and one of the requirements that I have is to send notification to multiple users. I would appreciate any suggestion. One of the possible ways would be to create some sort of group account on exchange server with all users added as members. Is there anyway though where I could use users' individual accounts and based on that forward notification to them?
Thanks
View 5 Replies
View Related
Jul 23, 2005
What does the "[dbo]." mean in the following sql script stmts?use [IBuyAdventure]GOif exists (select * from dbo.sysobjects whereid = object_id(N'[dbo].[Accounts]')and OBJECTPROPERTY(id,N'IsUserTable') = 1)drop table [dbo].[Accounts]GOand if you please, what does the "N" in N'IsUserTable' mean?thanks,-Steve
View 2 Replies
View Related
Aug 2, 2000
Can anyone tell me the purpose to using service accounts in SQL Server rather than just having the services start as a system account.
Thanks
John Shurer
john.shurer@gte.net
View 2 Replies
View Related
Mar 1, 2001
Hi,
How can i code a SQL statement that will return the top 20 accounts from a huge client table?
Thanks
View 1 Replies
View Related
Jan 26, 2012
I am setting up Replication and have a question about what's considered best practice for the accounts that will be running the replication agents. Microsoft says, "Run each replication agent under a different Windows account, and use Windows Authentication for all replication agent connections." What they don't say is whether these accounts are local accounts or domain accounts.
Which should I use/create, domain accounts or local accounts?
View 1 Replies
View Related
Jan 26, 2007
Im pretty new to DBA world
We have a SQL2005 Standard setup with mirror and witness
I create a Database in the Principle, create a SQLLogon account and give it permission to the database. All works.
I then fail the databse over to SQL2 and the database is there, it has the SQLAccount I create at the database level, but a logon does not work. I notice there is not login account at the database level and If I attempt to create one, I am told there is one already. I try to assign permission to that account for the database and it again replys that there is already on.
Is this refered to as an orphaned logon?
I was a post on Moving logins from on server to another, is that what I must do?
THank you
View 7 Replies
View Related
Sep 15, 2000
When creating a login account, it is associated with a default database.
Is it then necessary to grantdbaccess to the default database?
View 1 Replies
View Related
Jun 7, 2005
I just had a question,
Is it possible to have a different account for the accoutn that starts the MSSQLServer service and the account tied to the Mail profile on the server?
We had created an account to start the SQLServer but we are in a network where we have a 1 way trust with another domain, we trust them but they dont trust us, and our exchange is on their domain.
WE currently use Windows authentication so our account used to start SQL Server would not be trusted by exchange.
Our thoughts on a solution were to have them create a service account that we would have access to the mailbox and would also start the SQL Server but thats it.
I was just wondering if anyone else had any other suggestions.
Thanks.
View 1 Replies
View Related
Jan 17, 2005
Hi,
how do you create a username and password for a database in SQL.
Thanks
View 3 Replies
View Related
Aug 18, 2006
Hi Everyone. I have 150 SQL servers (2000 MSDE). They all run using various domain accounts as their service logins. Is there an automated way to find out those service logins? Maybe a query I could run on each server? I really do not want to go to each of those 150 servers and look at their properties manualy! :S Any help would be greatly appreciated! Thank you.
View 6 Replies
View Related
Aug 9, 2013
I have 3 tables
CREATE TABLE [dbo].[ACCT_MASTER](
[POLICY_YEAR] [char](4) NULL,
[GL_ACCOUNT] [nvarchar](8) NULL,
[GL_ACCT_DESCRIPTION] [nvarchar](100) NULL,
[GL_ACCT_LINE_NUM] [int] NULL,
[GL_NUM_LINE_NUM] [int] NULL,
[GENERAL] [int] NULL,
[Code] ....
ACCT_MASTER HISTORY Dates
Gl_ACCOUNT yearGL_NUMBER Perid
12345-00 201312345-00-20131304
67890-00 201067890-00-20101305
54321-08 201354321-00-20131304
.
.
Total of 3640 accounts
I can't figure out how to display all 3640 accounts. If there is no match in HISTORY table for this period display 0 for the calculations but display Gl_ACCOUNT + year.
12345-00-2013
67890-00-2010 0
54321-00-2013
All 3640 rows here
My code shows only 3469 records.
select M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')NewGL, isNull (SUM(PRIOR_VDIFFPRIOR), 0)as [PriorEndOfMont],
ISNULL(sum(CURR_VDIFFPRIOR),0) as [CurrentEndOfmonth] ,
isnull (SUM (PRIOR_VDIFFPRIOR),0) - isnull (sum(CURR_VDIFFPRIOR),0) as Difference
from GL_ACCT_MASTER m
left outer join SUMMARY s on M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000') = s.GL_NUMBER
group by GL_NUMBER,M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')order by GL_NUMBER,M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')
View 3 Replies
View Related
Feb 17, 2004
Is it possible to write a T-SQL scripts to change the accounts that run the SQLExec service and the SQL Agent service? If so how?
View 7 Replies
View Related
Jun 12, 2007
I have a SQL2005 in a cluster environment, for some reason the only way that user accounts can login to either the database or SSMS is to grant them the SysAdmin role. This access is a little to high for my liking and am wondering if anyone else has come across this before.
Thank you
View 15 Replies
View Related
Jan 22, 2008
I don't understand why this subquery doesn't work. If I replace the subquery with a View it works. I am trying to determine the number of "active accounts" in a group of transactions during December. What am I missing?
SELECT salesrun_id, Count(account_id) FROM
(SELECT salesrun_id, account_id FROM Trades t
WHERE t.date > '2007-12-01'
GROUP BY t.salesrun_id, t.account_id)
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near ')'.
View 2 Replies
View Related
Dec 12, 2006
I've just been looking at a new 2005 install and found 3 logins:SERV1SQLServer2005SQLAgentUser$SERV1$MSSQLSERVERSERV1SQLServer2005MSSQLUser$SERV1$MSSQLSERVERSERV1SQLServer2005MSFTEUser$SERV1$MSSQLSERVERAre these logins created during the install of SQLServer2005 by defaultand what are they used for ? Can they be deleted safely ? If they arerequired, can the names be set during install to something else ?TIALaurence Breeze
View 4 Replies
View Related
Nov 22, 2006
Seems only a few of us are experimenting with WSS 3.0 and RSS 2005 (requires sp2 ctp). I've gotten just so far after battling several installation problems. Only Brian Welcker and Spyuta (sp?) have been active here or on their blogs about this. While the instructions are good at the RSS addin for sharepoint page, http://download.microsoft.com/download/f/2/5/f250ed72-c102-4216-8653-63189e24fa02/readme_rsaddin.htm, there are some notable word mismatches. Under the section "Install the Reporting Services Add-in and Configure the Report Server on the SharePoint Technology Instance" they refer to granting accounts access to the database, which is labelled, 'add trusted accounts'.
This is as far as I can go because within that step there is a dialog prompting for credentials and no matter what I use, domain, local, whatever, the page displays a warning in red above the server name that says 'Some or all identity references could not be translated' And so it seems that is where I'm stuck.
If I change the server name in the page to an IP number, then I get this warning instead:
Report Server is not running on the same machine as SharePoint and Report Server is configured to run as a machine account. This is not a supported configuration in CTP2
Both of these assumptions are untrue. My report server is running side by side, and I have changed the port number in the rsconfig file. I try using the port number along with the ip number or machine name, but then I just get:
A connection to the computer cannot be established
Banging my head on this long enough, I now go back to the 'Integration setttings' page and change the authentication mode from Windows authentication to Trusted account. Now I redo the 'Add trusted account' page and it seems to go through without an issue. (whoa, I just ignored the directions and did the opposite)
I check the domain account used as service account for all of the above and I see it has been granted dbo and RSExecRole for the WSS/RS integrated database.
Now I can move ahead and actually see how the RSS integration with WSS 3.0 works. Of particular interest is deploying already created reports that I had appearing in the report manager web app before creating the integrated RSS database.
View 4 Replies
View Related
Oct 30, 2006
Hi,
Please could someone let me know what the minimum Server and Database roles are for an Account to use SMO to create further accounts, using SQLSever accounts and not Windows authentication.
I'm finding it hard to find the right documentation.... Could someone give me a link into SQ Server Books 2005 (Express) online, that explains SQL Server security from the ground up. ie What all the roles are for etc.
Thanks
John
View 6 Replies
View Related
