SQL 2012 :: Create Login With Sysadmin And Add To Local Server Admin Group
Apr 30, 2015Need script for below.
1)Add the user ''ADabc' to local admin group in server.
2)Create login 'ADabc' and Grant sysadmin access for ADabc
ADVERTISEMENT
Should A Sysadmin Have Local Admin Rights On Server?
Apr 27, 2006Hi,
The company I work for outsources all its non-development IT. So all windows servers are administered by an outside company. Lately we have purchased SQL Server 2005, along with a dedicated Windows Server 2003 server. I am the sole administrator of this SQL Server, and so have sysadmin rights. However because the outside company is responsible for all windows servers, they are very reluctant to grant me local administrator rights on the server. This has been causing problems, partly because I have to go through them for many simple requests (such as moving database files, or changing SQL Server configuration files), and partly because certain functionality doesn't seem to work for non-administrators (such as the use of Database Mail and full access to Reporting Services).
I want to challenge the decision and gain local admin rights to the server. Would anyone have further reasons why a sysadmin should also have local admin rights? Is this common practice, or are sysadmins often denied admin access to the server?
Any thoughts would be appreciated.
Thanks, Matt
Service Accounts, Local Admin, And Sysadmin Question!
Oct 2, 2007Hi,
Re: SQL Server 2005
We have defined a local administrator to be the SQL Server and SQL Server Agent services user, and is also the job step owner for some SSIS packages I am running.
My question is, isn't by default a local administrator ALSO granted sysadmin in SQL Server? According to this link, it seems to imply this:
http://msdn2.microsoft.com/en-us/library/ms143504.aspx
However, I am having some permissions problems with the local adminstrator account (i.e. SQL Server agent account) when it runs the job. The error is that it doesn't have execute permissions on sp_dts_addlogentry.
How can this be, if it's granted sysadmin?
Thanks
SQL 2012 :: Removing Service Accounts From Local Admin Group - File Permission Changes Needed
Feb 11, 2014I setup SQL Server 2012 on Windows Server 2012 with the service accounts in the local Administrator group, but now that I'd like to remove the accounts from this group I'm finding they don't have the appropriate access to the network storage. notes on setting the per-service SID's for SQL (SQL Engine, Analysis Services, Reporting Services, and Agent Service) so they can read the Data, Log, and TempDB mount points?
View 2 Replies View RelatedLogin Problem By Not Being In Sysadmin Group
Jul 23, 2007Hi All
I experience a very strange login problem:
I create standard security login, let say test1/test1 with a default db test and assign it sysadmin group.
All is working well.
The moment remove sysadmin group from this login, i start getting errors:
Login failed for user 'test1'
... when I login from remote server. If I login from the same host - it continues with no problem.
When I go to sql server configuration manager, I see next:
sql native client configuration(32bit):
shared memeory enabled
tcp/ip enabled
named pipes enabled
VIA disabled
The same settings from sql server 2005 network configuration / protocols for mssqlserver
sql native client configuration / client protocols
sql 2005 surface area configuration / remote connections is configured:
local and remote connections (checked), using both tcp/ip and named pipes.
Does anybody have a clue?
Use Windows Group As Local Login For Linked Server?
Mar 12, 2008Hi all:
I have created a linked server that connects a SQL 2000 database to a SQL 2005 database. If I use individual SQL or Windows accounts as local logins on the SQL 2000 instance, I can successfully query the linked SQL 2005 database.
(For security we use the setting "For a login not defined in the list above, connections will: not be made")
If I try to use a Windows group as the local login, remote queries fail with the error
"Access to the remote server is denied because no login-mapping exists"
Is it not possible to use a Windows group for the local login of a linked server?
If I run 'exec sp_linkedservers' the setup appears valid
Linked Server Local Login Is Self Mapping Remote Login
SQL2005Serv DomainBRubble 0 SQL_Read_Access
SQL2005Serv DomainWindows_Group 0 SQL_Read_Access
SQL2005Serv DomainFFlintstone 0 SQL_Read_Access
Thanks in advance
Grant
Login For Domain Local Group And Global Group
Jan 5, 2008I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.
Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.
Why does SQL server 2005 has this limitation? Is it a bug?
Using Local Variable To Pass Login Name To CREATE LOGIN Script
Mar 19, 2008Dear all;
I'm trying to use a local variable @NEW_LOGIN_CODE to pass LOGIN NAME to CREATE LOGIN script as follows:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
declare
@NEW_LOGIN_CODE varchar(255),
@NEW_LOGIN_PASSWORD varchar(255);
begin
SET @NEW_LOGIN_CODE = 'any_login';
SET @NEW_LOGIN_PASSWORD = 'AnyPassword';
CREATE LOGIN @NEW_LOGIN_CODE WITH PASSWORD @NEW_LOGIN_PASSWORD;
end
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
the script will not work unliss I provided a hard coded login code and password as follows:
CREATE LOGIN ANY_LOGIN WITH PASSWORD 'AnyPassword'
what should I do to make the CREATE LOGIN script accept local variables as parameters?
Thanks
SQL Server Admin 2014 :: Does DBCC LOGINFO Require SysAdmin Rights
Sep 28, 2015DBCC LogInfo command require SysAdmin rights?
View 2 Replies View RelatedSQL 2012 :: AlwaysOn Avail Group - Prevent Login Direct To Server Instance Only Through Listener?
Sep 30, 2015Is it possible to ONLY allow a login to the availability group listener, but block logins to server instance/nodes?
So: MySQLServerA and MySQLServerB are in an avail group "MyAvailGroup".
I want users to login to MyAvailGroup's listener, but I do NOT want them to login to the actual hosts/nodes directly.
Is that possible?
Users Are Unable To Connect To SQL Server 2005 Unless They Are In The Sysadmin Group
Nov 21, 2006We are running SQL Server 2005 in a Windows 2003 domain and I have a situation where some of my users are unable to connect to the SQL Server unless they are a member of the sysadmin group. Any attempts by these users to login result in a login failed,
Error: 18456, Severity: 14, State: 11
Which indicates that it is a valid user who does not have access to this SQL Server.
I have been able to narrow the failures down to the following situation:
Create a user, TestUser1, as a member of 1 domain local group TestGroup1
Give TestGroup1 access to SQL (standard public access to master)
All good. Login succeeds.
Add TestUser1 to another domain local group TestGroup2
Attempt to login to SQL Server -> login failed.
Add the user explicitly -> login failed
Add one of the groups to sysadmin -> login succeeds
It seems that as long as the user is a member of more than one AD group, and none of those groups is a member of the sysadmin server role then the user is unable to login. Obviously having all of the users as sysadmin isn't a workable solution, has anyone seen this issue before?
I have been able to replicate a similar situation in our test domain, but in that case the issue is resolved by adding the users explicitly to SQL Server (still not an ideal solution).
Interestingly, if I run the same test in our test domain but use global groups, it works. But unfortunately the network admin tells me the groups must stay as local.
Any help would be greatly appreciated.
Regards,
Daniel Watkins
SQL Server Admin 2014 :: Does Security-admin Role Plus Deny Alter Any Login Cancel Each Other Out
Aug 27, 2015I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
Cannot Get CREATE LOGIN From A Windows Group To Work
Jan 28, 2007I have created a database fronted by an ASP.Net application. It's all nice and simple, and I only need a very simple level of security (and even that is only as a protection against accidents rather than maliciousness). My intention is that users connect using Windows impersonation (<identity="true">), with the database creator having full access and the public group (I'm talking SQL groups here) having specific premissions granted on specific tables.
If I set <identity="false"> on my XP box the application connects to the database as [MACHINEASPNET]. This is easy to set up access for - I simply do a
CREATE LOGIN [MACHINEASPNET] FROM WINDOWS
and then within the actual database do a
CREATE USER [MACHINEASPNET]
But as I said, I want to use Windows impersonation. When I set <identity="true">, the application correctly attempts to connect as the actual Windows user account (e.g. [MACHINE estuser]). If that user is the user who installed the database, then all is well and it has full access. For anything else, I get a "cannot log on" error - this much I expect.
So I want to permit logins for all other users, and I want this to work regardless of whether the machine is a standalone machine whose "domain" is simply the machine's own name, whether it is in some form of traditional peer-to-peer workgroup, or whether the machine is connected to a real domain. I also want it to work on XP and Windows Server 2003 (and ideally Vista also, but that can wait). When I try the following:
CREATE LOGIN [MACHINEUsers] FROM WINDOWS
I get this error:
Msg 15401, Level 16, State 1, Server MACHINESQLEXPRESS, Line 1
Windows NT user or group 'MACHINEUsers' not found. Check the name again.
Nor does it work with [Everyone] (that one has no domain/folder listed against it in any permissions dialogs on my domainless development PC). So I'm stuck and confused. It's taken me ages just to get this far. Any suggestions anyone?
Thanks in advance.
Table Query Fails With Object Not Found Error After Assining Sysadmin Server Role To Login
May 14, 2015I have dw schema in the database, owned by user dw.The login name is dw. The login had db_owner right in the database. The default schema for the login on the database is dw.Now Once I assign 'sysadmin' serverrole to dw login, I started seeing stored proc not found error, if try to execute stored proc without mentioning dw.spname...Also I am seeing table not found error while quering tables under dw schema, after the change.
View 5 Replies View RelatedSa Vs Sysadmin Login
Jul 23, 2005is there a difference in the previleges of 'sa' login and other loginwith 'sysadmin' role (and 'db_owner' for all databases) ?can they do the exact same things ?
View 1 Replies View RelatedNeed A Sysadmin Login
Oct 20, 2006We€™re running mixed mode authentication on our SQL Servers. To make the server €œsafer€? builtinadmininstrators no longer have sysadmin role on the sql server. If there is only one login with sysadmin role, and we lose track of the password, is there any way to recover it? How could we reset the password or create a new sa account with a new password? This situation has not occurred, but I€™m worried about how to recover from it should it occur. This question relates to SQL 2000 and SQL 2005.
David Zokaites,
DBA & Software Engineer
SQL Security :: Users Are Able To Login To Server Without Any Login Names Or Being Part Of A Group
Jun 5, 2015I have a server that has 20 databases . I have tested with few users with different level of access and all of them were able to connect to the server and also see, select, update , delete from a particular database which is kind of weird because they do not have a user login associated or mapped to that database. I checked and no user is part of any group in AD that would give them permission to connect . I need a query that would find the permission path of a user. I already queried with xp_logininfo but I am not getting any thing.
View 9 Replies View RelatedNon SysAdmin Accounts Cannot Login
Jun 12, 2007I have a SQL2005 in a cluster environment, for some reason the only way that user accounts can login to either the database or SSMS is to grant them the SysAdmin role. This access is a little to high for my liking and am wondering if anyone else has come across this before.
Thank you
SQL Server 2012 :: Obtaining A Comma Delimited List For Each Group In The Output Of A Group By Query?
Jan 10, 2014I'd like to ask how you would get the OUTPUT below from the TABLE below:
TABLE:
id category
1 A
2 C
3 A
4 A
5 B
6 C
7 B
OUTPUT:
category count id's
A 3 1,3,4
B 2 5,7
C 2 2,6
The code would go something like:
Select category, count(*), .... as id's
from TABLE
group by category
I just need to find that .... part.
SQL Server Admin 2014 :: Cannot Decrypt Encrypted Columns From Database Backup On Local Machine
Jun 29, 2015I've a SQL server 2014 running on one of our server. We're in the process of implementing security steps for our databases. I've encrypted a column in one of the table in the database on the server. The issue is when I restore the backup on my local SQL server and run a query to decrypt the column data it gives me null values. On the other end when I decrypt the column data on the main server it works fine. I found a thread on this forum which states to do the following when restoring the encrypted database on different server.
USE [master];
GO
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'StrongPassword';
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;
GO
select File_Name
, CONVERT(nvarchar,DECRYPTBYKEY(File_Name))
from [test].[dbo].[Orders_Customer]
I tried doing above still no luck.
Only Members Of Sysadmin Role Are Allowed To Update Or Delete Jobs Owned By A Different Login
Mar 7, 2007
Question to those who may have had this same error- it seems that I am not able to delete some of the reports that I have created. This just started happening recently and according to our system admin nothing has changed as far as permissions are concernced. We installed SP2 the other day and I was wondering if this could have anything to do with the error message below
by the way I am a member of the sysadmin group
thanks in advance
km
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Only members of sysadmin role are allowed to update or delete jobs owned by a different login. Only members of sysadmin role are allowed to update or delete jobs owned by a different login. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at Microsoft.ReportingServices.Library.InstrumentedSqlCommand.ExecuteNonQuery() at Microsoft.ReportingServices.Library.DBInterface.DeleteObject(String objectName) at Microsoft.ReportingServices.Library.RSService._DeleteItem(String item) at Microsoft.ReportingServices.Library.RSService.ExecuteBatch(Guid batchId) at Microsoft.ReportingServices.WebServer.ReportingService2005.ExecuteBatch() --- End of inner exception stack trace ---
SQL Server Admin 2014 :: Separate One Availability Group To Several AVs?
Jul 3, 2015We have 4 servers : Server 1 , Server 2 and HA , DR servers.
I designed 2 Plans to get HA support for my databases .
Which of them are better , And is there any problem in my design ?
SQL Server Admin 2014 :: Notification On Availability Group Failover
Nov 10, 2014Is there any way to trigger an event (ie. call a procedure/job/etc.) when/if an AG fails over?
Not looking to use agent alerts.
SQL Server Admin 2014 :: Manual Failover Availability Group
Dec 24, 2014Recently after turning on trace I restarted the sql services on a box which is configured for automatic failover availability groups. The ag has not failed over to other node. The other node was in resolving state. When the restarted server is back, the AG went back to that server. I checked the sys.availability groups field for failover property failure condition level, it's set to 1 which means service restarts should initiate the failover.
View 3 Replies View RelatedSQL Server Admin 2014 :: AlwaysOn Availability Group Configuration
Jun 17, 2015What I asked for: Three Windows Server 2012 R2 machines with independent storage running a SQL Server 2014 AlwaysOn Availability Group. DB1 would be the primary, DB2 would be a synchronous replica, and DB3 would be a remote asynchronous replica.
What I was given: a two-node Windows Server 2012 R2 WSFC to run SQL Server 2014 Enterprise with shared storage and a third (remote) Windows Server 2012 R2 machine with independent storage, also with SQL Server 2014 Enterprise, to host an AlwaysOn Availability Groups asynchronous replica.
DB1 and DB2 (as Cluster1) share an E: drive. The remote DB3 has its own E: drive. Initially, DB3’s E: drive was claimed as a cluster resource and I couldn’t even see it. I’ve had several ugly days trying to make this work and have temporarily given up, installing DB3 as a standalone SQL Server that is no longer part of the WSFC and pointing everything towards that (it was originally a third node in the WSFC).
Is it possible to create an AlwaysOn Availability Group with nested clusters (i.e. create the AOAG with Cluster1 and DB3 and somehow ignore the individual nodes that comprise Cluster1)?
SQL Server Admin 2014 :: How To Delete A Login Linked With Endpoints
Sep 1, 2015I am planning to delete a login from SQL logins because he moved out from project .when i try to delete the login , it throws an error saying " The server principal owns an endpoint and cannot be dropped , error 15141 "
Same problem facing on different servers.
Note : Environment is SQL 2012,SQL 2008 including cluster servers .
SQL Server Admin 2014 :: Group Policy User Denied Access
Sep 15, 2014I have a user, who is trying log into the server, but everytime he gets this error saying something about the Group policy denies him access.
This user needs access and i'm trying to understand how to grant it to him.
I have been looking into how i can access the group policy editor, but the farthest i can get is the Local group policy editor. How do i make sure this specific user has access?
SQL Server Admin 2014 :: Where To Find Availability Group Fail Over Occurrences
Nov 14, 2014Where can I find dates and times to when an availability group was moved outside of the SQL error log?
View 1 Replies View RelatedSQL Server Admin 2014 :: Deny Access To AD Login For Certain Period Of Time
Apr 23, 2015SQL server job or SP to deny access to an AD login for certain period of time to SQL server instance...i.e. to deny access to login ADxyz from 12 PM to 10 PM and revoke access to same login at 10:01 PM...
View 3 Replies View RelatedWhy Does Windows Login Have Full Permissions On Local Installation Of SQL Server 2005?
Jun 22, 2007Hi,
I recently installed an evaluation copy of SQL Server 2005 Enterprise Edition on my local machine and during the installation I used Local System system account for the SQL Server service and set the server to use Mixed Mode authentication.
I am able to connect to this local server Database Engine with my Windows login through SQL Server Management Studio and am able to perform sysadmin tasks. My question is why?
My thinking was that even though my Windows login would provide me a connection to the server, I would still have to manually add this login to the sysadmin server roles but after checking the sysadmin role, my Windows login isn't in there. The Windows login is not found under Security - Logins in SSMS either.
Can someone tell me should details for the login be visible on the server and why it seems to have sysadmin permissions ?
Thanks
SQL Server Admin 2014 :: Exit From Not Synchronizing Primary Database In Availability Group
Jan 27, 2015I Create an availibility Group with a primary and a secondary. (For test)
Then run Planed Failover.
Switched to secondary. That's ok.
After that I update some tables on secondary (That now is primary)
I Run Again Planed Failover on server 2.
Switched. OK
But primary database Get (Not synchronizing) Status.
And in primary I don't have that updates.
How to sync these databases and exit from Not synchronizing.
SQL Server Admin 2014 :: Disconnected From Listener In Availability Group (When Primary Failed)
Jun 27, 2015I setup an availability Group. (Only 2 servers - Primary And secondary) -- 21 , 22
I also define an listener . IP .. 23
1- In First step I connected To Listener (23) And in a while I inserted A record to a table .
While 1=1
insert into Tbl_T1(f1,f2) Values (1,2)
2- in second, I Stop the primary .
- I expected this while whitout disconnect, continue.
3- The while code stopped whit this message :
Msg 64, Level 20, State 0, Line 0 A transport-level error has occurred when receiving results from the server. (provider: TCP Provider, error: 0 - The specified network name is no longer available.)
4- I execute again the script, And it worked in new primary.
My questions :
1- is the listener disconnected between switched primary and secondary ? OR have we data loss between switching?
2- I did some huge update on Primary that fill the Log fiel space. And in last Update I got this error :
Msg 9002, Level 17, State 2, Line 27
The transaction log for database 'Your_DB' is full due to 'LOG_BACKUP'.
Is this (Fill All space) a reason to switch primary? Or not ?
SQL Server Admin 2014 :: Availability Group Handshaking Fails After Network Outage
Aug 14, 2015I'm running a primary and secondary on sql server 2012 enterprise edition on windows server 2012, and it runs fine except when a network outage occurs.
Then the handshaking keeps failing, the databases on the replica show as not synchronizing and the only way to fix this is to reboot both primary and secondary.
We keep getting 3520's, etc. on the DR error log
How to eliminate all these prod reboots?
I increased query connection timeouts to 60, but saw no change.