Problems With Change Sql Permissions After Migrating Domain User/group Accounts Into Root Domain
Apr 5, 2007
I have a root domain and child domain.
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
Any ideas on how to fix this ?
View 1 Replies
ADVERTISEMENT
Jun 8, 2007
I have 4 new SQL Server 2005 installations on Windows 2003 that I configured at our main office and shipped to a hosting center. All four servers are members of our domain. I set up test datbases with replication on one of the servers and facilitated this with a domain account.
Now that I've moved the servers to the hosting center (which has a DC) and I'm not having any luck adding domain accounts to the permissions section on any of the the SQL Server boxes.
When I try to add a domain account in the SQL Server's permissions window I get "Name Not Found". By every indication the server is connected to the domain. I can log on using my domain account; I can create shares specifying domain accounts but I can't seem to add domain accounts to the SQL server permissions. When I look in the permission's tab I still see the original domain account, I had added back in the main office, stranded by itself in the list of users. We're using mixed authentication by the way.
Why doesn't SQL Server recognize the domain? Where does it get it's list of users? Does the account I'm logging in with just not have the permission to add domain accounts? These diaglogs are slightly different from the normal 'add a user' dialog boxes.
I feel like this must be a simple oversight. Any help would be appreciated. I'd prefer to move away from local accounts to keep things simple.
View 2 Replies
View Related
Sep 28, 2007
Hi,
We have the followoing:
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master)
-A sql server 2005 on a win server 2003 in "sub domain" AD
-A linked server to "sub domain" AD
-A linked server login using a "sub domain" admin acccount
-A view to this linked server
-A grant on masterDomain/Domain Users to the database
-A grant on subDomain/Domain Users to the database
-We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts.
Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT *
FROM OPENQUERY(ADSI,
'SELECT displayname, givenName, sn, cn (etc...)
FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com''
WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
EXEC sp_addlinkedsrvlogin @rmtsrvname ='ADSI', @useself='false',
@rmtuser='subDomainAdminAccnt', @rmtpassword='sunDomainAdminAccntPassword';
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error:
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".
View 7 Replies
View Related
Jun 8, 2007
Hi,
I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far..
On the machine that is the Domain Controller:
- installed SQL 2005 as a domain admin
- created a domain user account using Active Directory Users and Computers. This user is only
"Member of" domain users; not any Administrators group.
- added this user to SQL Server Management Studio->Logins and in Server Roles assigned
sysadmin role.
Question 1: Do I need to give any additional permissions to this user to work with SQL?
Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql?
Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.
Thanks!
View 3 Replies
View Related
Aug 12, 2015
I cannot get a consistent answer as to how many domain accounts would be suggested in a SQL Server 2014 installation. Previously the recommendation was a separate account for each service to provide isolation and minimum permissions for each account. It seems from what I've read that a single domain account would have something added to make it unique from SQL Server's perspective. Several still advocate multiple accounts. I don't know if they are doing so because that's the way it's always been done or if there is still some compelling reason to do so. I don't want to create unnecessary accounts simply because something is "ideal."
View 8 Replies
View Related
Dec 1, 2007
I'm running my job from the command line using DTExec as follows:-
DTExec /FILE "C:MyPathMyPackage.dtsx" /CONFIGFILE "C:MyPathMyDtsConfig.xml" /MAXCONCURRENT " -1 "
When I log in as Administrator the package runs perfectly.
When I log in as Domain User (the one I really want to have running the package) I get:-
Started: 10:49:08 PM
Error: 2007-11-30 22:49:08.30
Code: 0xC0011007
Source: {807048F4-DE2A-465E-B9A7-82E163791556}
Description: Unable to load the package as XML because of package does not have a valid XML format. A specific XML parser error will be posted.
End Error
I have checked, and the Domain User has
"Full Control" permissions to the directory the package is in and
"Full Control" permissions for the DTSX file and
"Full Control" permissions to the directory the dtsConfig is in and
"Full Control" permissions for the dtsConfig fileAny suggestions as to what is wrong?
View 7 Replies
View Related
Jan 22, 2008
Is there a way to change a logins based on domain users, we just changed domains so all the domainlogin logins are not working anymore. Do I have to reapply every security on every database object? There has to be a fix for this, its a common thing.
Any help is greatly appreciated, everything i googled applied to SQL Server 2000 and system tables that dont exist in 2005
View 3 Replies
View Related
Jul 19, 2007
If I have a domain user DOMAINuser1 who belongs to multiple window groups say DOMAINLookupConfigUsers and DOMAINAuditConfigUsers. In sqlserver, I would create two logins - DOMAINLookupConfigUsers and DOMAINAuditConfigUsers and matching users in the database. Then I grant LookupConfig role to the LookupConfigUsers user and AuditConfig role to the AuditConfigUsers user in the database. When DOMAINuser1 logs in, will it have both roles? I try to set this up but it does not seem to work. The domain user only picks up one of the role. Am I on the right track? If not, what is the proper way to grant multiple roles to a user when it belongs to multiple groups and each group has different privileges in the database.
View 4 Replies
View Related
Jan 22, 2008
After SQL Server 2005 Database Engine is installed by domain administrator, how to give permissions to a regular domain user so that user can control SQL Server Database service?
View 3 Replies
View Related
Mar 2, 2006
Currently running a SQL 2000 server in 2000 domain and want to migrate it to a new 2003 domain of the same name.
How do I go about it and is there any problems with this plan?
View 1 Replies
View Related
May 20, 2014
I have been struggling with this one for awhile now.I have a domain group which only must view the steps and history of all agent jobs.I have added the group to the sqlagentreadergroup.I have created a new role and denied this role,add job,update job,delete job etc execute permissions.But the user still can change ,delete or create a new job.
All the groups and users in th new role,does not have sysadmin rights.
we have sql 2012 enterprise version
What else can i try.I need this for audit purposes.
View 7 Replies
View Related
May 30, 2007
We're getting an error where we can't add a login with the full dns name of a user - domain.xyzuser, for example. Get an error 15401, "Windows NT user or group domain.xyzuser' not found". The domain has a different Netbios name and DNS domain names, so we can add the user when we use the form "netbiosnameuser". So far so good.
Unfortunately, we have another application - Office Share Point Server whose shared services provider won't run, giving errors in the event log every 60 seconds that "Windows NT user or group 'domain.xyzuser' not found".
It looks as if SQL insists upon listing users in the form netbiosdomainnameuser, and applications that look for domain.xyzuser simply fail to authenticate.
Suggestions?
jnfranc at yahoo period com
View 3 Replies
View Related
Jul 12, 2006
Hi There
Currently we run a certain instance , agent under local system on a server.
I want to create specific domain accounts for the sql server service and agent, now i know that one should create these accounts with the least priviledge for security reasons.
cannot find the topic in BOL, can some please give me the BOL topic or a link to exactly what the least priviledge is for the domain accounts for sql server services.
Thanx
View 4 Replies
View Related
Jul 23, 2014
Installed sql server 2012 enterprise. Runs with the built in account fine.
I tried entering a domain account to run as the service account from sql configuration it fails with the error "the specified network password is not correct".
I tried from services.msc and entered successfully but when I try to restart it fails that the log in credentials are wrong.
the domain account and password I entered are just fine. What's it I should do or missing?
View 3 Replies
View Related
Jan 18, 2008
I'm attempting to write a script that I can execute accross 30 servers that will create a domain login and subsequently grant access to said account on all databases per server. The only problem that I'm running into is trying to dymanically create the login. Example source is below.
declare @sql varchar(1000)
declare @loginname varchar(50)
select @loginname = 'DOMAINaccountname'
set @sql = 'if not exists (select * from master.dbo.syslogins where name = N' + char(39) + 'DOMAINaccountname' + char(39) + ')' + char(10) + char(13)
set @sql = @sql + 'begin ' + char(10) + char(13)
set @sql = @sql + char(9) + 'exec master.dbo.sp_grantlogin ' + quotename(@loginname)
print @sql
exec (@sql)
Here is the generated output and the error. Any suggestions would be appreciated.
if not exists (select * from master.dbo.syslogins where name = N'DOMAINaccountname')
begin
exec master.dbo.sp_grantlogin [DOMAINaccountname]
Msg 102, Level 15, State 1, Line 3
Incorrect syntax near 'DOMAINaccountname'.
View 4 Replies
View Related
May 21, 2015
My company doesn't allow using Local Service / Network Service accounts for SQL Server. So I created domain service accounts. Can multiple SQL Server installations use the same domain service accounts ?
View 4 Replies
View Related
Jan 21, 2003
We are currently in the process of migrating users from a NT 4.0 domain to a win2k Domain. On some of our SQL Servers the Windows Authenticated users own objects within the database. These Windows Authenticated users also own SQL Server Job and DTS Packages. Once these Windows Authenticated users are moved over to the Windows 2000 Domain they have to qualify there database objects, they can not see their SQL Server Jobs they created and they cannot modify the DTS Packages they previously created. Is their a tool or script out there that can fix this problem of moving the Windows Authenticated users smoothly over to the new domain.
View 3 Replies
View Related
Jun 19, 2015
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
View 6 Replies
View Related
Jun 19, 2015
I had to migrate my report server (2008R2) to a new domain. I built new server and restored the old ReportServer and ReportServerTempDB into new server and also restored the certificate from old server. The Report Server is running but I don't have full access to all server futures anymore, looks like it's AD authentication messed up. My new account is Admin on new server but I can't see all options, like New Data Source, or wehn going on report level to manage to see all option such as Parameters, Subscriptions, Data Source.
View 2 Replies
View Related
Jan 5, 2008
I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.
Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.
Why does SQL server 2005 has this limitation? Is it a bug?
View 1 Replies
View Related
Mar 30, 2000
1. How could I change the Domain within SQL Server.
2. When the NT Server changed to a new domain, Does the SQL server change also? Could someone help me. Thank you.
View 2 Replies
View Related
Mar 3, 2005
I have a client who we are upgrading from ms sql 7 to 2000. At the same time we are doing this, we are moving off an old domain, and old servers.
When I try to use DTS to move the whole database, it fails becaue the users don't exist on the new domain ( ie.. olddomainjay is not a user. That user is now newdomainjay).
What can I do to migrate the databases and not the permissions?
View 11 Replies
View Related
Sep 21, 2007
Any help will be appreciated.
To clarify few things I have no previous MS SQL experience, did some Oracle and MySQL work.
I will have to move one Win 2000 server with MS SQL 2005 running one database to our AD 2003 environment. I was wondering if anybody already went through that kind of scenario, and what was the procedure.
Thanks
View 4 Replies
View Related
May 25, 2007
Hi There
I am trying to find resources of comsiderations / steps to take when changing a sql server instatnce's domain, the name will be the same but it is being moved to a new domain.
One thing i have realised is that replciation must be completely removed and reconfigured , since the sunscriber / distributor are all going to the new domain.
replcation still obviously referencing the old domain.
But what are all the other things that may be affected. A link to an article with details of how to move a sql server 2005 instance to a new domain would be great i just cant find one.
Thanx
View 4 Replies
View Related
Aug 14, 2007
Our network guys created a new domain as part of their migration from NT4 to active directory. They are asking us to modify our sql servers (2000) to use the new domain accounts. For example domain1/user is now domain2/user. Once this is complete the old domain will be disabled. My question is how difficult is this to accomplish in SQL? SQL has startup accounts, logins, DTS packages, Scheduled jobs, maintenance plans, etc. It seems to me that this is a major effort? Any help on the do's and don'ts would be greatly appreciated. Any articles would be helpful too. I could sure benefit from anyone who has been down this path before.
View 1 Replies
View Related
May 5, 2008
Within our Exchange Environment we use Blackberry. Our Blackberry Server is using SQL Server 2005 Express. We're migrating from Exch 5.5 to Exch 2003 (new server for 2003). Now the new Exch Server is in our new Active Directory Domain to which is not named the same as our NT Domain for obvious reasons.
Anyway, after I decomission the 5.5 Exch Server, I want to rename the Blackberry Server and move it to the new domain.
Will SQL Server 2005 Express squak at me for doing this??
Thanks All
View 1 Replies
View Related
May 30, 2007
We're building out a new SQL cluster and I'm working with our AD team to develop a secure environment using Windows Authentication only. I have created three "Global AD Groups" SQL Admins, SQL Read Only, SQL Service Accounts". The AD guys receive a request to add users to the groups and the DBA's grand SQL rolls to the accounts which map through the groups. So, in SQL security the 3 groups exist with the Admin group being assigned to the SA SQL roll. The DBA's have their AD domain accounts added as members to the SQL Admins group and that group is added to SQL as with the "SA roll".
The real question :-)
We use service accounts s-application to connect our application boxes to their respective SQL databases. If the service Global Group exists in SQL Logins, and the AD account is a member of the Group how would the DBA's grant "database rolls" to the AD accounts in the group? Wouldn't they just issue GRANT statements? I've detailed our setup better bellow.
SQL Admins Container
- SQL Admins
- AD Account
SQL SERVER
- SQL Admins Container (Granted SQL server SA Roll)
Database
- AD account (Granted DBO rights)
View 1 Replies
View Related
Mar 9, 2006
hi guys, i just recently had our servers attached to a new domain. previously they were not on any domain. the server A is a domain controler itself.
the problem is that now i cant start my sql server agent. it gives this error.
SQLServerAgent could not be started (reason: Unable to connect to server '(local)'; SQLServerAgent cannot start).
previously I was using administrator account to start my services but now i am using the domain account.
can someone please advise me on this.
thanks!
View 1 Replies
View Related
Sep 5, 2007
Hi All,
I would like to rename a login SAMPLE-ITean to NEWDOMAINean, but i get this message:
"The name change cannot be performed because the SID of the new name does not match the old SID of the principal."
the command is : alter login [SAMPLE-ITean] with name=[NEWDOMAINean]
server is sql2005 std (initial base)
what can i do ( there are lot of db on this instance and there are lot of instance where I have to change the domain of the user...) ... and there are lot of user whom I have to change it...:-(
thnx
Csaba
View 1 Replies
View Related
Apr 4, 2007
I have a problem and I dont have an idea to solve it. I work with SQL Server and my students on Faculty of Information Technology.
I have create SQL Server login for domain group of users (about 60 od them). That mean I have SQL Server login like this DomainUsers
To whole group of users I had grant server role (dbcreator). I dont wish to import 60 login one by one and gice that permision.
Ok, student can create database without any problems
But, when they try to create database diagram (expanding database diagram node). They get a message that database need to have a valid owner (Hmm..ok its not a big deal to do it)
Quick check to some of database (Right click-->properties-->General-->Owner (ther is a DomainUserName (not name of group)..and that is ok
(Right click-->properties-->Files-->TextBox Owner. I try to enter same DomainUserName from step 5. But I get this message
TITLE: Microsoft SQL Server Management Studio
------------------------------
Set owner failed for Database '1110_EvidencijaKnjiga'. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Set+owner+Database&LinkId=20476
------------------------------
ADDITIONAL INFORMATION:
An exception occurred in SMO. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&LinkId=20476
------------------------------
The login 'DomeinUserName' does not exist on this server.
------------------------------
BUTTONS:
OK
------------------------------
This is wired. Ok I know that that user is not login but group is. Step 5 show that user, but step 6 have empty owner options and dose not allowe me to enter same user.
How to fix this?
Thank you
View 3 Replies
View Related
Sep 17, 2007
Greetings,
I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomaingrpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.
However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomainandy) to the folders, he can see them and execute the reports.
After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.
Any ideas?
Rob
View 7 Replies
View Related
Feb 28, 2008
Hi,
I have some problem about adding domain group to reporting service.
At first, I create my report folder on report manager. Then I edit item security to this folder. I click "New Role Assignment".
Then I enter "domainmydomaingroup" to "Group or user name" textbox, and check "Browser" role. Click Ok.
But there is error occurs,
The user or group name "domainmydomaingroup" is not recognized. (rsUnknownUserName)
But if I enter directly to domain user such as "domainuser1", that is Ok.
How can I do to solve this problem?
Thank you very much.
View 1 Replies
View Related
Oct 24, 2007
Hi am
i am facing problem adding a domain group to the reporting services.
while setting the security of a report, i am getting the rsUnknownUserName error while adding a domain group.
the group is valid and it does exists. i tried creating a windows group on the machine running reporting services and tried adding the domain group and it accepted. but the reporting services is not accepting.
can somebody tell me whats the problem with this.
i am able to add other domain group belonging to the same domain and the SSRS accepts but not this particular domain group which is like any other domain group.
View 3 Replies
View Related