Problems With Change Sql Permissions After Migrating Domain User/group Accounts Into Root Domain

Apr 5, 2007

I have a root domain and child domain.



After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.



This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.



Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?



I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.



I believe it is something to do with the SID not matching.



Any ideas on how to fix this ?

View 1 Replies


ADVERTISEMENT

Cannot Add Domain Accounts To SQLServer Permissions

Jun 8, 2007

I have 4 new SQL Server 2005 installations on Windows 2003 that I configured at our main office and shipped to a hosting center. All four servers are members of our domain. I set up test datbases with replication on one of the servers and facilitated this with a domain account.



Now that I've moved the servers to the hosting center (which has a DC) and I'm not having any luck adding domain accounts to the permissions section on any of the the SQL Server boxes.



When I try to add a domain account in the SQL Server's permissions window I get "Name Not Found". By every indication the server is connected to the domain. I can log on using my domain account; I can create shares specifying domain accounts but I can't seem to add domain accounts to the SQL server permissions. When I look in the permission's tab I still see the original domain account, I had added back in the main office, stranded by itself in the list of users. We're using mixed authentication by the way.



Why doesn't SQL Server recognize the domain? Where does it get it's list of users? Does the account I'm logging in with just not have the permission to add domain accounts? These diaglogs are slightly different from the normal 'add a user' dialog boxes.



I feel like this must be a simple oversight. Any help would be appreciated. I'd prefer to move away from local accounts to keep things simple.



View 2 Replies View Related

User On Trusted Domain Does Have Permission To Access Linked Server On AD Deployed In Another Domain

Sep 28, 2007

Hi,
We have the followoing:

-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master)
-A sql server 2005 on a win server 2003 in "sub domain" AD
-A linked server to "sub domain" AD
-A linked server login using a "sub domain" admin acccount
-A view to this linked server
-A grant on masterDomain/Domain Users to the database
-A grant on subDomain/Domain Users to the database
-We want all connections done through "Windows Authentication" not "Database Authentication".

Queries on the view work fine using "sub domain" user accounts.
Queries on the view fail using "master domain" user accounts (including master domain admin accounts)


"Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."

All connections are done through "Windows Authentication" not "Database Authentication".

Can we establish cross domain connectivity with "Windows Authentication" ?


Below are details of the implementation:

SELECT TOP (100) PERCENT *
FROM OPENQUERY(ADSI,
'SELECT displayname, givenName, sn, cn (etc...)
FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com''
WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')

EXEC sp_addlinkedsrvlogin @rmtsrvname ='ADSI', @useself='false',
@rmtuser='subDomainAdminAccnt', @rmtpassword='sunDomainAdminAccntPassword';

In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:

"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'

Error:
Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.

Msg 7320, Level 16, State 2, Line 1

Cannot execute the query "SELECT displayname, givenName, sn, cn

FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'

WHERE

objectCategory = 'Person'

AND objectClass = 'user'

" against OLE DB provider "ADsDSOObject" for linked server "ADSI".

View 7 Replies View Related

Permissions For Domain User Account

Jun 8, 2007

Hi,
I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far..
On the machine that is the Domain Controller:
- installed SQL 2005 as a domain admin

- created a domain user account using Active Directory Users and Computers. This user is only


"Member of" domain users; not any Administrators group.


- added this user to SQL Server Management Studio->Logins and in Server Roles assigned


sysadmin role.
Question 1: Do I need to give any additional permissions to this user to work with SQL?
Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql?
Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.



Thanks!

View 3 Replies View Related

Do Managed Local Accounts Remove Need For Multiple Domain Accounts

Aug 12, 2015

I cannot get a consistent answer as to how many domain accounts would be suggested in a SQL Server 2014 installation. Previously the recommendation was a separate account for each service to provide isolation and minimum permissions for each account. It seems from what I've read that a single domain account would have something added to make it unique from SQL Server's perspective. Several still advocate multiple accounts. I don't know if they are doing so because that's the way it's always been done or if there is still some compelling reason to do so. I don't want to create unnecessary accounts simply because something is "ideal."

View 8 Replies View Related

Package Won't Run For Domain User With Full Control Permissions

Dec 1, 2007

I'm running my job from the command line using DTExec as follows:-

DTExec /FILE "C:MyPathMyPackage.dtsx" /CONFIGFILE "C:MyPathMyDtsConfig.xml" /MAXCONCURRENT " -1 "

When I log in as Administrator the package runs perfectly.
When I log in as Domain User (the one I really want to have running the package) I get:-

Started: 10:49:08 PM
Error: 2007-11-30 22:49:08.30
Code: 0xC0011007
Source: {807048F4-DE2A-465E-B9A7-82E163791556}
Description: Unable to load the package as XML because of package does not have a valid XML format. A specific XML parser error will be posted.
End Error

I have checked, and the Domain User has


"Full Control" permissions to the directory the package is in and

"Full Control" permissions for the DTSX file and

"Full Control" permissions to the directory the dtsConfig is in and
"Full Control" permissions for the dtsConfig fileAny suggestions as to what is wrong?

View 7 Replies View Related

Domain Change (User Logins Broken)

Jan 22, 2008

Is there a way to change a logins based on domain users, we just changed domains so all the domainlogin logins are not working anymore. Do I have to reapply every security on every database object? There has to be a fix for this, its a common thing.

Any help is greatly appreciated, everything i googled applied to SQL Server 2000 and system tables that dont exist in 2005

View 3 Replies View Related

Domain User Belonging To Multiple Windows Group

Jul 19, 2007

If I have a domain user DOMAINuser1 who belongs to multiple window groups say DOMAINLookupConfigUsers and DOMAINAuditConfigUsers. In sqlserver, I would create two logins - DOMAINLookupConfigUsers and DOMAINAuditConfigUsers and matching users in the database. Then I grant LookupConfig role to the LookupConfigUsers user and AuditConfig role to the AuditConfigUsers user in the database. When DOMAINuser1 logs in, will it have both roles? I try to set this up but it does not seem to work. The domain user only picks up one of the role. Am I on the right track? If not, what is the proper way to grant multiple roles to a user when it belongs to multiple groups and each group has different privileges in the database.

View 4 Replies View Related

How To Give Permissions To A Regular Domain User To Manage SQL Server Database Service?

Jan 22, 2008

After SQL Server 2005 Database Engine is installed by domain administrator, how to give permissions to a regular domain user so that user can control SQL Server Database service?

View 3 Replies View Related

Migrating SQL 2000 From A 2000 Domain To 2003 Domain

Mar 2, 2006

Currently running a SQL 2000 server in 2000 domain and want to migrate it to a new 2003 domain of the same name.

How do I go about it and is there any problems with this plan?

View 1 Replies View Related

SQL 2012 :: Give User / Domain Group Only View Access On Agent Role?

May 20, 2014

I have been struggling with this one for awhile now.I have a domain group which only must view the steps and history of all agent jobs.I have added the group to the sqlagentreadergroup.I have created a new role and denied this role,add job,update job,delete job etc execute permissions.But the user still can change ,delete or create a new job.

All the groups and users in th new role,does not have sysadmin rights.

we have sql 2012 enterprise version

What else can i try.I need this for audit purposes.

View 7 Replies View Related

Authentication Failure - Can't Find Domain Accounts

May 30, 2007

We're getting an error where we can't add a login with the full dns name of a user - domain.xyzuser, for example. Get an error 15401, "Windows NT user or group domain.xyzuser' not found". The domain has a different Netbios name and DNS domain names, so we can add the user when we use the form "netbiosnameuser". So far so good.



Unfortunately, we have another application - Office Share Point Server whose shared services provider won't run, giving errors in the event log every 60 seconds that "Windows NT user or group 'domain.xyzuser' not found".



It looks as if SQL insists upon listing users in the form netbiosdomainnameuser, and applications that look for domain.xyzuser simply fail to authenticate.



Suggestions?

jnfranc at yahoo period com

View 3 Replies View Related

Sql Server 2005 Servcie Domain Accounts

Jul 12, 2006

Hi There



Currently we run a certain instance , agent under local system on a server.

I want to create specific domain accounts for the sql server service and agent, now i know that one should create these accounts with the least priviledge for security reasons.

cannot find the topic in BOL, can some please give me the BOL topic or a link to exactly what the least priviledge is for the domain accounts for sql server services.

Thanx

View 4 Replies View Related

SQL 2012 :: Domain Account Errors Out When Use As Service Accounts

Jul 23, 2014

Installed sql server 2012 enterprise. Runs with the built in account fine.

I tried entering a domain account to run as the service account from sql configuration it fails with the error "the specified network password is not correct".

I tried from services.msc and entered successfully but when I try to restart it fails that the log in credentials are wrong.

the domain account and password I entered are just fine. What's it I should do or missing?

View 3 Replies View Related

Dynamic Script To Add Domain Login Accounts 2000/2005

Jan 18, 2008



I'm attempting to write a script that I can execute accross 30 servers that will create a domain login and subsequently grant access to said account on all databases per server. The only problem that I'm running into is trying to dymanically create the login. Example source is below.


declare @sql varchar(1000)

declare @loginname varchar(50)

select @loginname = 'DOMAINaccountname'

set @sql = 'if not exists (select * from master.dbo.syslogins where name = N' + char(39) + 'DOMAINaccountname' + char(39) + ')' + char(10) + char(13)

set @sql = @sql + 'begin ' + char(10) + char(13)

set @sql = @sql + char(9) + 'exec master.dbo.sp_grantlogin ' + quotename(@loginname)

print @sql

exec (@sql)


Here is the generated output and the error. Any suggestions would be appreciated.



if not exists (select * from master.dbo.syslogins where name = N'DOMAINaccountname')

begin

exec master.dbo.sp_grantlogin [DOMAINaccountname]

Msg 102, Level 15, State 1, Line 3

Incorrect syntax near 'DOMAINaccountname'.

View 4 Replies View Related

Setup And Upgrade :: Server Installations Use The Same Domain Service Accounts?

May 21, 2015

My company doesn't allow using Local Service / Network Service accounts for SQL Server. So I created domain service accounts. Can multiple SQL Server installations use the same domain service accounts ?

View 4 Replies View Related

Migrating Users To New Domain

Jan 21, 2003

We are currently in the process of migrating users from a NT 4.0 domain to a win2k Domain. On some of our SQL Servers the Windows Authenticated users own objects within the database. These Windows Authenticated users also own SQL Server Job and DTS Packages. Once these Windows Authenticated users are moved over to the Windows 2000 Domain they have to qualify there database objects, they can not see their SQL Server Jobs they created and they cannot modify the DTS Packages they previously created. Is their a tool or script out there that can fix this problem of moving the Windows Authenticated users smoothly over to the new domain.

View 3 Replies View Related

SQL Security :: Domain Migration Altered SA Or Domain Admin Access To DBs

Jun 19, 2015

we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any  password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.

View 6 Replies View Related

Reporting Services :: Server Not Fully Functional After Migrating To New Domain

Jun 19, 2015

I had to migrate my report server (2008R2) to a new domain. I built new server and restored the old ReportServer and ReportServerTempDB into new server and also restored the certificate from old server. The Report Server is running but I don't have full access to all server futures anymore, looks like it's AD authentication messed up. My new account is Admin on new server but I can't see all options, like New Data Source, or wehn going on report level to manage to see all option such as Parameters, Subscriptions, Data Source.

View 2 Replies View Related

Login For Domain Local Group And Global Group

Jan 5, 2008

I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.

Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.

Why does SQL server 2005 has this limitation? Is it a bug?

View 1 Replies View Related

Change Domain Within SQL

Mar 30, 2000

1. How could I change the Domain within SQL Server.
2. When the NT Server changed to a new domain, Does the SQL server change also? Could someone help me. Thank you.

View 2 Replies View Related

SQL Upgrade And Domain Change

Mar 3, 2005

I have a client who we are upgrading from ms sql 7 to 2000. At the same time we are doing this, we are moving off an old domain, and old servers.

When I try to use DTS to move the whole database, it fails becaue the users don't exist on the new domain ( ie.. olddomainjay is not a user. That user is now newdomainjay).

What can I do to migrate the databases and not the permissions?

View 11 Replies View Related

Domain Name Change For MS SQL 2005

Sep 21, 2007

Any help will be appreciated.
To clarify few things I have no previous MS SQL experience, did some Oracle and MySQL work.
I will have to move one Win 2000 server with MS SQL 2005 running one database to our AD 2003 environment. I was wondering if anybody already went through that kind of scenario, and what was the procedure.
Thanks

View 4 Replies View Related

Change Sql 2005 Domain?

May 25, 2007

Hi There



I am trying to find resources of comsiderations / steps to take when changing a sql server instatnce's domain, the name will be the same but it is being moved to a new domain.



One thing i have realised is that replciation must be completely removed and reconfigured , since the sunscriber / distributor are all going to the new domain.



replcation still obviously referencing the old domain.



But what are all the other things that may be affected. A link to an article with details of how to move a sql server 2005 instance to a new domain would be great i just cant find one.



Thanx

View 4 Replies View Related

Sql 2000 Domain Name Change

Aug 14, 2007

Our network guys created a new domain as part of their migration from NT4 to active directory. They are asking us to modify our sql servers (2000) to use the new domain accounts. For example domain1/user is now domain2/user. Once this is complete the old domain will be disabled. My question is how difficult is this to accomplish in SQL? SQL has startup accounts, logins, DTS packages, Scheduled jobs, maintenance plans, etc. It seems to me that this is a major effort? Any help on the do's and don'ts would be greatly appreciated. Any articles would be helpful too. I could sure benefit from anyone who has been down this path before.

View 1 Replies View Related

Server And Domain Name Change

May 5, 2008



Within our Exchange Environment we use Blackberry. Our Blackberry Server is using SQL Server 2005 Express. We're migrating from Exch 5.5 to Exch 2003 (new server for 2003). Now the new Exch Server is in our new Active Directory Domain to which is not named the same as our NT Domain for obvious reasons.

Anyway, after I decomission the 5.5 Exch Server, I want to rename the Blackberry Server and move it to the new domain.
Will SQL Server 2005 Express squak at me for doing this??

Thanks All

View 1 Replies View Related

SQL 2k5 ENT , Domain Global Group

May 30, 2007

We're building out a new SQL cluster and I'm working with our AD team to develop a secure environment using Windows Authentication only. I have created three "Global AD Groups" SQL Admins, SQL Read Only, SQL Service Accounts". The AD guys receive a request to add users to the groups and the DBA's grand SQL rolls to the accounts which map through the groups. So, in SQL security the 3 groups exist with the Admin group being assigned to the SA SQL roll. The DBA's have their AD domain accounts added as members to the SQL Admins group and that group is added to SQL as with the "SA roll".

The real question :-)

We use service accounts s-application to connect our application boxes to their respective SQL databases. If the service Global Group exists in SQL Logins, and the AD account is a member of the Group how would the DBA's grant "database rolls" to the AD accounts in the group? Wouldn't they just issue GRANT statements? I've detailed our setup better bellow.

SQL Admins Container
- SQL Admins
- AD Account

SQL SERVER
- SQL Admins Container (Granted SQL server SA Roll)

Database
- AD account (Granted DBO rights)

View 1 Replies View Related

SQL AGENT Issue Due To Domain Change

Mar 9, 2006

hi guys, i just recently had our servers attached to a new domain. previously they were not on any domain. the server A is a domain controler itself.


the problem is that now i cant start my sql server agent. it gives this error.

SQLServerAgent could not be started (reason: Unable to connect to server '(local)'; SQLServerAgent cannot start).


previously I was using administrator account to start my services but now i am using the domain account.


can someone please advise me on this.


thanks!

View 1 Replies View Related

How Can I Rename A Login (change The Domain)?

Sep 5, 2007

Hi All,
I would like to rename a login SAMPLE-ITean to NEWDOMAINean, but i get this message:
"The name change cannot be performed because the SID of the new name does not match the old SID of the principal."

the command is : alter login [SAMPLE-ITean] with name=[NEWDOMAINean]
server is sql2005 std (initial base)

what can i do ( there are lot of db on this instance and there are lot of instance where I have to change the domain of the user...) ... and there are lot of user whom I have to change it...:-(

thnx
Csaba

View 1 Replies View Related

Problem With Domain Group And Diagrams

Apr 4, 2007

I have a problem and I dont have an idea to solve it. I work with SQL Server and my students on Faculty of Information Technology.

I have create SQL Server login for domain group of users (about 60 od them). That mean I have SQL Server login like this DomainUsers
To whole group of users I had grant server role (dbcreator). I dont wish to import 60 login one by one and gice that permision.
Ok, student can create database without any problems
But, when they try to create database diagram (expanding database diagram node). They get a message that database need to have a valid owner (Hmm..ok its not a big deal to do it)
Quick check to some of database (Right click-->properties-->General-->Owner (ther is a DomainUserName (not name of group)..and that is ok
(Right click-->properties-->Files-->TextBox Owner. I try to enter same DomainUserName from step 5. But I get this message

TITLE: Microsoft SQL Server Management Studio
------------------------------

Set owner failed for Database '1110_EvidencijaKnjiga'. (Microsoft.SqlServer.Smo)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Set+owner+Database&LinkId=20476

------------------------------
ADDITIONAL INFORMATION:

An exception occurred in SMO. (Microsoft.SqlServer.Smo)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&LinkId=20476

------------------------------

The login 'DomeinUserName' does not exist on this server.

------------------------------
BUTTONS:

OK
------------------------------


This is wired. Ok I know that that user is not login but group is. Step 5 show that user, but step 6 have empty owner options and dose not allowe me to enter same user.

How to fix this?

Thank you

View 3 Replies View Related

Domain Group Account Won't Work

Sep 17, 2007

Greetings,

I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomaingrpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.

However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomainandy) to the folders, he can see them and execute the reports.

After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.

Any ideas?

Rob

View 7 Replies View Related

How Can I Add Domain Group To Reporting Service?

Feb 28, 2008

Hi,

I have some problem about adding domain group to reporting service.

At first, I create my report folder on report manager. Then I edit item security to this folder. I click "New Role Assignment".

Then I enter "domainmydomaingroup" to "Group or user name" textbox, and check "Browser" role. Click Ok.

But there is error occurs,

The user or group name "domainmydomaingroup" is not recognized. (rsUnknownUserName)

But if I enter directly to domain user such as "domainuser1", that is Ok.

How can I do to solve this problem?

Thank you very much.

View 1 Replies View Related

Unable To Add Domain Group Account

Oct 24, 2007

Hi am
i am facing problem adding a domain group to the reporting services.
while setting the security of a report, i am getting the rsUnknownUserName error while adding a domain group.
the group is valid and it does exists. i tried creating a windows group on the machine running reporting services and tried adding the domain group and it accepted. but the reporting services is not accepting.
can somebody tell me whats the problem with this.
i am able to add other domain group belonging to the same domain and the SSRS accepts but not this particular domain group which is like any other domain group.


View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved