Problems Using BUILTINUsers For Connecting Unpriveleged Windows Accounts
Feb 12, 2008
In a previous thread, I got some help from you all in figuring out how to deploy a per-machine desktop application and database so that it would be available to all Windows accounts on the machine. Basically the advice was to create an SQL user for the database with the BUILTINUsers login which had the necessary privileges for connection.I have tried this approach, but I am still having problems with connections for unpriveleged users. I have given the database user the role of db_Owner as well as other roles, but it seems to make little difference. I have been trying the deployment on several machines running XP, and I get several different responses. But primarily I get the "CREATE DATABASE permission denied in database 'master'" error. All of these computers seem to have the same database user level permissions, but obviously there must be differences somewhere. That worries me from a deployment standpoint.
I don't want to make any changes at the server level login properties for Builtinusers, but I have experimented with changing these, and I've found that giving sysadmin privileges to BuiltinUsers works great. But I doubt that anybody would be very happy with that solution.
I'm confused about the "Create Database" message, because I'm not explicitly creating any database at application startup time. It also seems like this might be an attachment problem, but I'm not sure about anything. Is there really an attachment and detachment of the Express database every time the application is run?
So my bottom line questions are:
Which database level privileges do I need to give to my SQL user with BuiltinUsers login so that any Windows account can connect and write to the database?
Can I accomplish this goal without changing any server level privileges for the BuiltinUsers login.
Thank you.
View 7 Replies
ADVERTISEMENT
Dec 19, 2006
Hello,
I'm having a problem using Windows Accounts to login to a SQL 2005 Server.
Here is my setup. The SQL server and web server are separate machines. I'm also not developing directly on the web server.
SQL Server - Windows 2003 Server- SQL 2005- Set to use SQL and Windows AuthenticationWeb Server- Windows 2003 Server- IIS 6.0 - Anonymous Authentication is disabled - Integrated Windows Authentication is enabledApplication web.config:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"><appSettings> <add key="ETR_Environment" value="Dev"/></appSettings>
<connectionStrings> <add connectionString="Data Source=sql-dev-server, 1179;Initial Catalog=ENV_ETR;Integrated Security=SSPI;" name="ETR_Dev"/> <add connectionString="" name="ETR_Prod"/></connectionStrings>
<system.web> <compilation debug="true" strict="false" explicit="true"/> <pages> <namespaces> <clear/> <add namespace="System"/> <add namespace="System.Collections"/> <add namespace="System.Collections.Specialized"/> <add namespace="System.Configuration"/> <add namespace="System.Text"/> <add namespace="System.Text.RegularExpressions"/> <add namespace="System.Web"/> <add namespace="System.Web.Caching"/> <add namespace="System.Web.SessionState"/> <add namespace="System.Web.Security"/> <add namespace="System.Web.Profile"/> <add namespace="System.Web.UI"/> <add namespace="System.Web.UI.WebControls"/> <add namespace="System.Web.UI.WebControls.WebParts"/> <add namespace="System.Web.UI.HtmlControls"/> </namespaces> </pages>
<authentication mode="Windows"></authentication> <customErrors mode="Off"></customErrors> <authorization> <allow users="XXXWilliam.Klein"/> <deny users="*"/> </authorization></system.web></configuration>
The reason why I want to use the windows login to connect to the database is the application needs to keep track of who did what when entering and updating data but still keep them using there windows login accounts. So using a generic account will not work.
What keeps happening is I keep getting this error: Login failed for user 'NT AUTHORITYANONYMOUS LOGON'. When trying to connect the database. I've tried this on two web servers on another I get something slightly different: Login failed for user 'XXXWeb-Server$'.
Anybody able to give me any suggestions on how to fix this?
View 12 Replies
View Related
Apr 8, 2007
I am no DBA, but this is my task.I have an SQL Server 2000 Database that has an "SQL Account" that hasexecute permission on all Stored procedures. it is what was used bythe company. This one account is used by "all workstations".I want to fix this and use Windows Accounts, and get rid of that SQLAccount. How do I go about adding that Windows Account permission toall the Stored Procedures?What I want to do is to just add several windows account then go aboutremoving the permission where necessary on an account by accountbasis.Any suggestions would be greatly appreciated!
View 2 Replies
View Related
Aug 12, 2015
We are seeing login failures for windows accounts. Below is the error message.
Description: In our env most logins are windows accounts. Initially we thought it is an UAC issue and we tried to launch the SSMS using "Run as Administrator". However, we are seeing login failures.
Enviroment:
Microsoft SQL Server 2014 - 12.0.2402.0 (X64)
RTM Enterprise Edition (HyperVisor)
Error Message in Error Log :
2015-08-10 22:36:45.290 Logon Error: 18456, Severity: 14, State: 11.
2015-08-10 22:36:45.290 Logon Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
2015-08-10 22:41:23.470 Logon Error: 18456, Severity: 14, State: 11.
2015-08-10 22:41:23.470 Logon Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
Troubleshooting done:
- Recreated the windows login in sql server. Doesn't work.
- ran sp_valdidatelogins. it doesn't return any rows.
- I belong to sysadmin role and when I say, getting below error message.
xp_logininfo 'domainloginname'
/*
Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
Could not obtain information about Windows NT group/user 'domainloginname', error code 0x5.
*/
We tried dropping this account and re-creating the windows account with same permissions but still result is same.It throws same error message. Login failure message !!!
View 18 Replies
View Related
May 15, 2008
This may be an idiotic question:
I am attempting to use Visual Web Developer Express with a connection to a SQL Express db from a non-admin account on my XP Pro SP2 machine.
I can do everything in the app under an admin login, but can't seem to configure the db to allow the non-admin account access to the db. I've tried tweaking WMI, using Network Service, Local Service, and Local System with NT AUTHORITY, individual logins, and group permissions, but I'm stuck.
Any thoughts?
View 5 Replies
View Related
Aug 12, 2015
I cannot get a consistent answer as to how many domain accounts would be suggested in a SQL Server 2014 installation. Previously the recommendation was a separate account for each service to provide isolation and minimum permissions for each account. It seems from what I've read that a single domain account would have something added to make it unique from SQL Server's perspective. Several still advocate multiple accounts. I don't know if they are doing so because that's the way it's always been done or if there is still some compelling reason to do so. I don't want to create unnecessary accounts simply because something is "ideal."
View 8 Replies
View Related
Jul 23, 2015
Do we still need the below service accounts in SQL 2008+ version even if we have proper SQL service accounts added in the logins?
[NT AUTHORITYSYSTEM]
[NT ServiceMSSQLSERVER]
[NT SERVICEReportServer]
[NT SERVICESQLSERVERAGENT]
[NT SERVICESQLWriter]
[NT SERVICEWinmgmt]
View 0 Replies
View Related
Jun 1, 2001
I'm having problem with SQL Server 7 and
Windows 2000. We are deploying an application
made with VB6. This application is multi-users.
Our client has a network of 3 computers. One of
these computers is the server. The application is
deployed on all 3 machines. On the server,
everything goes well. It is possible to connect,
to insert new data, etc. On the 2 other computers,
with the account that installated SQL7 and created
the DB, USER1, there`s no problem at all. With ANY
other account, it is possible to access most of the
application, but some forms would just not access
the DB. We tried to give all rights to all users
on the SQL Server. Nothing. The security used is
Windows NT (2000). There is no rights on tables.
We tried to make a duplicate of the original USER1
account, with all the same rights. It doesn't work
any better.
So all our security is down, and we're still not
accessing with other accounts. We're connecting
SQL Server via the ODBC. I don`t have a clue what
to do next. Please let me know if you have any hints.
View 1 Replies
View Related
Jul 20, 2005
Hi,I'm planning to develop a small intranet to provide our organizationwith documents online. I've decided to do this using jsp/servletsusing a tomcat server. For an operating system, I have chosen red hatlinux. However, I'd like to keep a small database on a sql server asa datasource. However, this sql server is already part of ourorganization's windows domain. I suspect I'll need to configure sambaso that other terminals on the windows domain will be able to reachthe intranet. What's the best manner in which to connect my linuxservlets to this sql server database? I suspect this may bedifficult, considering the sql server exists within a windows domain,but as a beginner, what do I know. Perhaps someone could point me inthe right direction.
View 4 Replies
View Related
Jan 30, 2006
Can't get winmobile 5 to connect to my sql server 2005 (using vs2005). Here's the connect string:
"Data Source=tcp:XXXXXXdefault,1433;Database=YYYYYY;" _
& "Integrated Security=SSPI;"
This very same string, and variations of it, work in a vs2005 winforms app, but not a windows mobile 5. I'm (obviously) using system.data.sqlclient. MS documentation says it's supported on both platforms with no syntax changes. Any suggestions?
View 11 Replies
View Related
Jan 23, 2007
I am trying to pull data from an Oracle 9i database to my SQL Server 2005 sp1 database on Windows 2003 64bit Itanium server. Each time I try to use the import wizard, select the Microsoft OLE DB driver for Oracle, I get an error message telling me that the Oracle client tools are not installed. This happened after I had already installed the 9i tools, tested the connection using TNSPING and confirmed the tnsnames file was correct. So, I uninstalled the 9i tools and then installed the 10g client tools. Tested everything after the install and then tried the import again selecting the MS OLE DB driver for Oracle. I again got the error message that the Oracle tools were not installed.
has anyone ran into this problem and if so, were you able to fix it?
View 2 Replies
View Related
Feb 17, 2007
Hello!I'm migrating an IIS/SQL-Server application from Windows NT4.0 and SQL-Server 2000 to Windows 2003 Server and SQL-Server 2005.My problem is that it is not possible to connect local (IIS and SQL-Server 2005 are runnng on the same node) using ODBC. Running theapplikation on a remote IIS (XPPro) all works fine. I can't see anydifferences in the ODBC-configuration.Any idea?Thanks
View 5 Replies
View Related
Oct 20, 2006
Hi
I have installed SQL Server 2005 onto a server and then on my client machine I have installed SQL Server 2005 and the Server Management Studio.
When installing it on the server I chose all the defaults so have not setup an sql username or password to connect as I thought I could use Windows.
I go to the Server Management and registered servers, create a new one and enter the ip address of the server and choose Windows Authentication. The following error keeps appearing though and I am not sure what settings/where to check:
Login failed for user ''. The user is not associated with a trusted SQL Server connection. (.Net SqlClient Data Provider)
I have checked and think port 1443 is open on the server, tcpip is enabled but when I choose Windows authentication I cannot enter a username or password as it is greyed out. It has completed the username but no password and these are not the correct ones to connect to the server - I wish to wish the same one I use for RDC.
Or should I try SQL Authentication and if so how would I set this up? Cannot see on the server in SQL Configuration where I could set this?
Hope someone who knows a lot more than me on this can help!
Thanks for your time - this has been driving me mad for days now and everything I print off the internet is not help so any feed back or more useful links to loo up would be great.
View 4 Replies
View Related
Jun 28, 2007
Is there a way to connect to database using Windows authentication as a different user than what you've logged in with to your desktop?
For example:
I log on to my desktop as mydomainme. I'm developing queries using Management Studio against a database (on another server) where mydomainme doesn't have access, but the admins have granted access to mydomainJobs1. I have the password for mydomainJobs1, and I'm hoping I can connect to the database using that account without having to log-off my local desktop as mydomainme and then re-login using mydomainJobs1.
The analogy in the file/share-permissions world would be using "net use" from a command prompt:
net use \SomeServer /User:mydomainJobs1 jobs1password
Anything similar for SSMS?
View 1 Replies
View Related
Feb 5, 2008
Hi,
I have a database of Sql server 2000 in one of my windows XP machine. when iam trying to connect that database from other machine i am getting sql server does n't exist message. I can able to connect the sqlserver through the Enterprise manager but i can not connect the sqlserver through code.
I already used the same code to connect the sql server in windows 2000 machine and i connected to the database without any problem. but iam facing the problem with windows XP machine.
can any body help me to solve this problem.
thanks in advance.Mahesh
View 4 Replies
View Related
Sep 28, 2015
I have a scenario where I want to make a linked server query and report using windows service account credential. I can able to do link query if I RDP into the Server where linked server established using the service account and run query successfully but local client SSMS with my credential fails connecting linked server or querying. Looks to be a sql double hoping problem if so configuration each client domain account to enable delegation will be challenging as mentioned in the following articles instead service account only might work if possible.
View 3 Replies
View Related
Jan 3, 2008
Hi-I have a program that I am developing on a laptop, then deploying it on a server.I have the prgram running passing a username and PW in the connection object, but like the idea of using windows authentication MUCH better.I just joined the domain, so I am domain/me for example.If I log into the server, and look at securities, logins and added domain/me to the logins.I then try and set up a sql connection via both visual studio, and sql server magt studio, and get the dreaded "Cannot generate SSPI context" error. Anyone else have this problem? SHOULD V.S. be using domain/me to connect? TIA dan
View 6 Replies
View Related
Apr 3, 2008
Hi All,
After I installed sql server 2005 64bit standard edition on Windows Server Enterprise 2008 64bit, I cannot connect to the sql instance using the sql management studio on the same machine!
I verified that:
service is running,
in surface area configuration: remote connections to local and remote are enabled, for TCP/IP and named pipes.
ran the command netstat -avn| findstr 49279 to make sure that the server is listening.
firewall is off, but this does not matter since I'm connecting locally to local instance
I'm using domain controller account to login to sql server / also tried the sa account.
what else can be wrong?
thanks.
View 4 Replies
View Related
Jul 23, 2005
What does the "[dbo]." mean in the following sql script stmts?use [IBuyAdventure]GOif exists (select * from dbo.sysobjects whereid = object_id(N'[dbo].[Accounts]')and OBJECTPROPERTY(id,N'IsUserTable') = 1)drop table [dbo].[Accounts]GOand if you please, what does the "N" in N'IsUserTable' mean?thanks,-Steve
View 2 Replies
View Related
Aug 2, 2000
Can anyone tell me the purpose to using service accounts in SQL Server rather than just having the services start as a system account.
Thanks
John Shurer
john.shurer@gte.net
View 2 Replies
View Related
Mar 1, 2001
Hi,
How can i code a SQL statement that will return the top 20 accounts from a huge client table?
Thanks
View 1 Replies
View Related
Jan 26, 2012
I am setting up Replication and have a question about what's considered best practice for the accounts that will be running the replication agents. Microsoft says, "Run each replication agent under a different Windows account, and use Windows Authentication for all replication agent connections." What they don't say is whether these accounts are local accounts or domain accounts.
Which should I use/create, domain accounts or local accounts?
View 1 Replies
View Related
Jun 18, 2008
The following error keeps being reported in the Domain Controller Logs:
"There are multiple accounts with name MSSQLSvc/....."
View 1 Replies
View Related
Jan 26, 2007
Im pretty new to DBA world
We have a SQL2005 Standard setup with mirror and witness
I create a Database in the Principle, create a SQLLogon account and give it permission to the database. All works.
I then fail the databse over to SQL2 and the database is there, it has the SQLAccount I create at the database level, but a logon does not work. I notice there is not login account at the database level and If I attempt to create one, I am told there is one already. I try to assign permission to that account for the database and it again replys that there is already on.
Is this refered to as an orphaned logon?
I was a post on Moving logins from on server to another, is that what I must do?
THank you
View 7 Replies
View Related
Sep 15, 2000
When creating a login account, it is associated with a default database.
Is it then necessary to grantdbaccess to the default database?
View 1 Replies
View Related
Jun 7, 2005
I just had a question,
Is it possible to have a different account for the accoutn that starts the MSSQLServer service and the account tied to the Mail profile on the server?
We had created an account to start the SQLServer but we are in a network where we have a 1 way trust with another domain, we trust them but they dont trust us, and our exchange is on their domain.
WE currently use Windows authentication so our account used to start SQL Server would not be trusted by exchange.
Our thoughts on a solution were to have them create a service account that we would have access to the mailbox and would also start the SQL Server but thats it.
I was just wondering if anyone else had any other suggestions.
Thanks.
View 1 Replies
View Related
Jan 17, 2005
Hi,
how do you create a username and password for a database in SQL.
Thanks
View 3 Replies
View Related
Aug 18, 2006
Hi Everyone. I have 150 SQL servers (2000 MSDE). They all run using various domain accounts as their service logins. Is there an automated way to find out those service logins? Maybe a query I could run on each server? I really do not want to go to each of those 150 servers and look at their properties manualy! :S Any help would be greatly appreciated! Thank you.
View 6 Replies
View Related
Aug 9, 2013
I have 3 tables
CREATE TABLE [dbo].[ACCT_MASTER](
[POLICY_YEAR] [char](4) NULL,
[GL_ACCOUNT] [nvarchar](8) NULL,
[GL_ACCT_DESCRIPTION] [nvarchar](100) NULL,
[GL_ACCT_LINE_NUM] [int] NULL,
[GL_NUM_LINE_NUM] [int] NULL,
[GENERAL] [int] NULL,
[Code] ....
ACCT_MASTER HISTORY Dates
Gl_ACCOUNT yearGL_NUMBER Perid
12345-00 201312345-00-20131304
67890-00 201067890-00-20101305
54321-08 201354321-00-20131304
.
.
Total of 3640 accounts
I can't figure out how to display all 3640 accounts. If there is no match in HISTORY table for this period display 0 for the calculations but display Gl_ACCOUNT + year.
12345-00-2013
67890-00-2010 0
54321-00-2013
All 3640 rows here
My code shows only 3469 records.
select M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')NewGL, isNull (SUM(PRIOR_VDIFFPRIOR), 0)as [PriorEndOfMont],
ISNULL(sum(CURR_VDIFFPRIOR),0) as [CurrentEndOfmonth] ,
isnull (SUM (PRIOR_VDIFFPRIOR),0) - isnull (sum(CURR_VDIFFPRIOR),0) as Difference
from GL_ACCT_MASTER m
left outer join SUMMARY s on M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000') = s.GL_NUMBER
group by GL_NUMBER,M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')order by GL_NUMBER,M.GL_ACCOUNT +'-'+ isnull(policy_year, '0000')
View 3 Replies
View Related
Feb 17, 2004
Is it possible to write a T-SQL scripts to change the accounts that run the SQLExec service and the SQL Agent service? If so how?
View 7 Replies
View Related
Jun 12, 2007
I have a SQL2005 in a cluster environment, for some reason the only way that user accounts can login to either the database or SSMS is to grant them the SysAdmin role. This access is a little to high for my liking and am wondering if anyone else has come across this before.
Thank you
View 15 Replies
View Related
Jan 22, 2008
I don't understand why this subquery doesn't work. If I replace the subquery with a View it works. I am trying to determine the number of "active accounts" in a group of transactions during December. What am I missing?
SELECT salesrun_id, Count(account_id) FROM
(SELECT salesrun_id, account_id FROM Trades t
WHERE t.date > '2007-12-01'
GROUP BY t.salesrun_id, t.account_id)
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near ')'.
View 2 Replies
View Related
Dec 12, 2006
I've just been looking at a new 2005 install and found 3 logins:SERV1SQLServer2005SQLAgentUser$SERV1$MSSQLSERVERSERV1SQLServer2005MSSQLUser$SERV1$MSSQLSERVERSERV1SQLServer2005MSFTEUser$SERV1$MSSQLSERVERAre these logins created during the install of SQLServer2005 by defaultand what are they used for ? Can they be deleted safely ? If they arerequired, can the names be set during install to something else ?TIALaurence Breeze
View 4 Replies
View Related