We're building out a new SQL cluster and I'm working with our AD team to develop a secure environment using Windows Authentication only. I have created three "Global AD Groups" SQL Admins, SQL Read Only, SQL Service Accounts". The AD guys receive a request to add users to the groups and the DBA's grand SQL rolls to the accounts which map through the groups. So, in SQL security the 3 groups exist with the Admin group being assigned to the SA SQL roll. The DBA's have their AD domain accounts added as members to the SQL Admins group and that group is added to SQL as with the "SA roll".
The real question :-)
We use service accounts s-application to connect our application boxes to their respective SQL databases. If the service Global Group exists in SQL Logins, and the AD account is a member of the Group how would the DBA's grant "database rolls" to the AD accounts in the group? Wouldn't they just issue GRANT statements? I've detailed our setup better bellow.
SQL Admins Container
- SQL Admins
- AD Account
SQL SERVER
- SQL Admins Container (Granted SQL server SA Roll)
I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.
Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.
Why does SQL server 2005 has this limitation? Is it a bug?
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
I have a problem and I dont have an idea to solve it. I work with SQL Server and my students on Faculty of Information Technology.
I have create SQL Server login for domain group of users (about 60 od them). That mean I have SQL Server login like this DomainUsers To whole group of users I had grant server role (dbcreator). I dont wish to import 60 login one by one and gice that permision. Ok, student can create database without any problems But, when they try to create database diagram (expanding database diagram node). They get a message that database need to have a valid owner (Hmm..ok its not a big deal to do it) Quick check to some of database (Right click-->properties-->General-->Owner (ther is a DomainUserName (not name of group)..and that is ok (Right click-->properties-->Files-->TextBox Owner. I try to enter same DomainUserName from step 5. But I get this message
TITLE: Microsoft SQL Server Management Studio ------------------------------
Set owner failed for Database '1110_EvidencijaKnjiga'. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Set+owner+Database&LinkId=20476
An exception occurred in SMO. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&LinkId=20476
------------------------------
The login 'DomeinUserName' does not exist on this server.
------------------------------ BUTTONS:
OK ------------------------------
This is wired. Ok I know that that user is not login but group is. Step 5 show that user, but step 6 have empty owner options and dose not allowe me to enter same user.
I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomaingrpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.
However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomainandy) to the folders, he can see them and execute the reports.
After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.
Hi am i am facing problem adding a domain group to the reporting services. while setting the security of a report, i am getting the rsUnknownUserName error while adding a domain group. the group is valid and it does exists. i tried creating a windows group on the machine running reporting services and tried adding the domain group and it accepted. but the reporting services is not accepting. can somebody tell me whats the problem with this. i am able to add other domain group belonging to the same domain and the SSRS accepts but not this particular domain group which is like any other domain group.
The title says it all. Given that I have created a login for a domain group, and a database user for that login. What I want to do is retrieving the domain username for the active user. USER_NAME retrieves the database username, suser_name returns (of course) NULL as this is not a sql user.
The goal is to use domain group logins, while still allowing for logging what user performed which action.
This question is regarding a brand new out-of-the-box SQL Server 2005 Workgroup Edition install. The old SQL Server 2000 server is working properly with regard to the issue we're having:
We are using Windows Authentication, and have created SQL logins for about
40 different groups on our domain. We've given those logins the appropriate
permissions on the databases they're supposed to be able to access. The SQL Server is not a domain controller, but is a member of the domain, and domain logins do work for Windows-login purposes on this box.
The problem is that when users try to connect to the SQL server, they are denied access. An error 18456 is thrown, and logged in the Application event log
stating "Login failed for user OURDOMAIN heuser" (example values). The
domain user is properly a member of group added as a login to SQL Server, and we've confirmed that there are not conflicting permissions that would deny those
users access via another route. These same groups are working fine on the SQL Server 2000 box.
This is only a problem for domain-based groups. If we create a local group
on the SQL server machine, through Computer Management -> Local Users and
Groups, then make the same domain users a member of THAT group, and finally then follow the same process to add that local group to SQL Server Logins and set
the database privileges, it works!!
Our group memberships change frequently, and are used for a lot more than
just SQL server permissions. So, using local groups and maintaining
membership in both places is not really feasible. Any ideas why a local
machine group containing domain user accounts would work fine, but a domain
If I have a domain user DOMAINuser1 who belongs to multiple window groups say DOMAINLookupConfigUsers and DOMAINAuditConfigUsers. In sqlserver, I would create two logins - DOMAINLookupConfigUsers and DOMAINAuditConfigUsers and matching users in the database. Then I grant LookupConfig role to the LookupConfigUsers user and AuditConfig role to the AuditConfigUsers user in the database. When DOMAINuser1 logs in, will it have both roles? I try to set this up but it does not seem to work. The domain user only picks up one of the role. Am I on the right track? If not, what is the proper way to grant multiple roles to a user when it belongs to multiple groups and each group has different privileges in the database.
I have tried rebooting the system, I have ran the script to look for duplicate sids and am still having the issue when trying to add a domain group to SQL. I get the Error 15401: Windows NT user or group'miTrust Legal' not found. Check the name again. Running SQL 2000 Std, with SP3a, and the collation is set to SQL_Latin1_General_CP850_BIN, which makes this instance case sensitive, and the group name is spelt right and am following the case sensitivity of the name as well.
I have been struggling with this one for awhile now.I have a domain group which only must view the steps and history of all agent jobs.I have added the group to the sqlagentreadergroup.I have created a new role and denied this role,add job,update job,delete job etc execute permissions.But the user still can change ,delete or create a new job.
All the groups and users in th new role,does not have sysadmin rights.
we have sql 2012 enterprise version
What else can i try.I need this for audit purposes.
I'm totally stuck on this issue and would really appreciate any advice. Here's what's going on...
I'm trying to install SP2 on a SQL 2005 Std x64 cluster and all the components upgrade except the DB Engine, which fails with this error saying the domain group (not the service account) could not be validated for the full-text search service.
I've rebooted both nodes. I've verified that the domain group exists. I even removed the full text search component and I still get the same error.
I've reviewed this: http://support.microsoft.com/kb/915846 But the ftsgroup registry value mentioned does not exists. I assume it only shows up after sp2 is installed.
Interestingly, I couldn't uninstall full-text search unless I passed the FTSCLUSTERGROUP parameter to the setup.exe command line remove command.
The OS is Windows Server 2003 Ent x64 SP2. Not a domain controller. I'm upgrading from the RTM version of SQL Server.
I've posted the relevant parts of the summary and log files below.
Thanks in advance for any ideas!
- Chris
-------------------------------------
Summary.txt ==========
Product : Database Services (MSSQLSERVER) Product Version (Previous): 1399 Product Version (Final) : Status : Failure Log File : C:Program FilesMicrosoft SQL Server90Setup BootstrapLOGHotfixSQL9_Hotfix_KB921896_sqlrun_sql.msp.log Error Number : 28130 Error Description : MSP Error: 28130 A domain group is missing for one or more services. To install SQL Server 2005 as a failover cluster, domain groups must be specified for all the clustered services being installed .To proceed, enter the missing domain group information. The domain group cannot be validated for the service Full-Text Search.
Failed to validate group name for FTSCLUSTERGROUP. Error 87 Error Code: 0x80070057 (87) Windows Error Text: The parameter is incorrect. Source File Name: sqlcadomaingroupdialog.cpp Compiler Timestamp: Sat Oct 7 09:43:40 2006 Function Name: validateSetDomainGroups Source Line Number: 484
MSI (s) (A8!98) [12:17:17:610]: Transforming table Error. MSI (s) (A8!98) [12:17:17:610]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:610]: Transforming table Error. MSI (s) (A8!98) [12:17:17:626]: Transforming table Error. MSI (s) (A8!98) [12:17:17:626]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:626]: Transforming table Error. MSI (s) (A8!98) [12:17:17:626]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:626]: Transforming table Error. MSI (s) (A8!98) [12:17:17:626]: Note: 1: 2262 2: Error 3: -2147287038 Error Code: 87 MSI (s) (A8!98) [12:17:17:626]: Transforming table Error. MSI (s) (A8!98) [12:17:17:626]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:642]: Transforming table Error. MSI (s) (A8!98) [12:17:17:642]: Transforming table Error. MSI (s) (A8!98) [12:17:17:642]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:642]: Transforming table Error. MSI (s) (A8!98) [12:17:17:642]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:642]: Transforming table Error. MSI (s) (A8!98) [12:17:17:642]: Note: 1: 2262 2: Error 3: -2147287038 MSI (s) (A8!98) [12:17:17:642]: Product: Microsoft SQL Server 2005 (64-bit) -- Error 28130. A domain group is missing for one or more services. To install SQL Server 2005 as a failover cluster, domain groups must be specified for all the clustered services being installed .To proceed, enter the missing domain group information. The domain group cannot be validated for the service Full-Text Search.
Error 28130. A domain group is missing for one or more services. To install SQL Server 2005 as a failover cluster, domain groups must be specified for all the clustered services being installed .To proceed, enter the missing domain group information. The domain group cannot be validated for the service Full-Text Search. <EndFunc Name='LaunchFunction' Return='87' GetLastError='0'> MSI (s) (A88) [12:17:17:642]: Transforming table InstallExecuteSequence. MSI (s) (A88) [12:17:17:642]: Note: 1: 2262 2: InstallExecuteSequence 3: -2147287038 MSI (s) (A88) [12:17:17:658]: Transforming table InstallExecuteSequence. MSI (s) (A88) [12:17:17:658]: Transforming table InstallExecuteSequence. MSI (s) (A88) [12:17:17:658]: Note: 1: 2262 2: InstallExecuteSequence 3: -2147287038 MSI (s) (A88) [12:17:17:658]: Transforming table InstallExecuteSequence. MSI (s) (A88) [12:17:17:658]: Note: 1: 2262 2: InstallExecuteSequence 3: -2147287038 MSI (s) (A88) [12:17:17:658]: Transforming table InstallExecuteSequence. MSI (s) (A88) [12:17:17:658]: Note: 1: 2262 2: InstallExecuteSequence 3: -2147287038 Action ended 12:17:17: Validate_ServiceAccounts.3EA9D9BF_D9D2_4023_B2A7_9E2137B2FB1B. Return value 3. Action ended 12:17:17: INSTALL. Return value 3. Property(S): ProductCode = {26F1A218-3158-4107-B3A6-37FD61CEE969} Property(S): ProductLanguage = 1033 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductVersion = 9.2.3042.00
We are trying to set up SQLAgent Proxy account. If the SQLServer service id is a domain admin, do we still have to add it to the local administrators group?
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master) -A sql server 2005 on a win server 2003 in "sub domain" AD -A linked server to "sub domain" AD -A linked server login using a "sub domain" admin acccount -A view to this linked server -A grant on masterDomain/Domain Users to the database -A grant on subDomain/Domain Users to the database -We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts. Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT * FROM OPENQUERY(ADSI, 'SELECT displayname, givenName, sn, cn (etc...) FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com'' WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error: Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
I'm trying to run a test from my test environment which is a non-domain Windows 2000 server to access my domain 2003 with SQL2005. I have install 2005 tools to try to access the SQL server.
- I have try following the KB265808 - no success. - Reading alot of blogs and it seems all are pointing to the same problem. "Remote access" but the settign is enabled.Error Message:
TITLE: Connect to Server ------------------------------
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=53&LinkId=20476
Question: Could Windows 2003 security be blocking access? I'm using sa account to access.
Also, sa account does not seems to work for remote access. It is ok when accessing locally.
I have an SSRS 2012 table report with groups; each group is broken ie. one group for one page, and there are multiple groups in multiple pages.
'GroupName' column has multiple values - X,Y,Z,......
I need to group 'GroupName' with X,Y,Z,..... ie value X in page 1,value Y in page 2, value Z in page 3...
Now, I need to display another column (ABC) in this table report (outside the group column 'GroupName'); this outside column itself is another column header (not a group header) in the table (report) and it derives its name partly from the 'GroupName' values:
Example:
Value X for GroupName in page 1 will mean, in page 1, column Name of ABC column must be ABC-X Value Y for GroupName in page 2 will mean, in page 2, column Name of ABC column must be ABC-Y Value Z for GroupName in page 3 will mean, in page 3, column Name of ABC column must be ABC-Z
ie the column name of ABC (Clm ABC) must be dynamic as per the GroupName values (X,Y,Z....)
Page1:
GroupName Clm ABC-X
X
Page2:
GroupName Clm ABC-Y
Y
Page3:
GroupName Clm ABC-Z
Z
I have been able to use First(ReportItems!GroupName.Value) in the Page Header to get GroupNames displayed in each page; I get X in page 1, Y in page 2, Z in page 3.....
However, when I use ReportItems (that refers to a group name) in the Report Body outside the group,
I get the following error:
Report item expressions can only refer to other report items within the same grouping scope or a containing grouping scope
I need to get the X, Y, Z ... in each page for the column ABC.
I have been able to use this - First(Fields!GroupName.Value); however, I get ABC-X, ABC-X, ABC-X in each of the pages for the ABC column, instead of ABC-X in page 1, ABC-Y in page 2, ABC-Z in page 3, ...
Hi all,it happen to me a strange problem:i have a mdb file (in Access 2K) with SQL Server 2K linked tables whoruns on a workstation which is on a different domain that the SQLServer. It works.If i create a mdb file from a workstation which is a the domain of theSQL Server and then i run it a my non-domain workstation i have errormessage:Login failed for user '(null)'. Reason: Not associated with a trustedSQL Server connectionBut if i reattached my tables it works.If someone have an idea....PS: same ODBC on both machines
I've posted a feedback with Microsoft to see if we can get them to fix the issue described below, but so far no one from Microsoft has commented to let us know what they're doing about this problem! I'm posting this here to see if maybe we can get more people to rate this feedback or chime in on what a pain it is! Please feel free to add your own comments or how you had to work around this issue and whether or not you think this is something Microsoft should be addressing NOW.
Provide Individual Page Numbering per Group and Total Pages per Group
Currently in a Reporting Services report, you can't readily reset the page number for each group in a table, nor can you display the total number of pages per group. For example, if I'm printing invoices and each invoice is a separate group, I'd like to be able to print "Page 1 of 5" , "Page 2 of 5" etc. for the first invoice, then "Page 1 of 3" when the next invoice begins, and so on. This was easy in Crystal Reports. I realize that Crystal Reports has a two-pass process that enables that kind of pagination. However, this is REALLY important functionality that's just missing from Reporting Services and I'm hoping you'll provide it REALLY SOON! Yeah, I know there are work-arounds if you can know exactly how many rows of information there are on each page. But gosh! That's not practical, especially if you have second level groups inside the main group or text blocks in rows that can 'grow' to more than one line. I've read a couple of work-arounds, but none of them works correctly and consistently when more than one user is running the same report or when you print the report while you're looking at it on the screen. I still may need access to the overall report page number and the overall total number of pages, so don't get rid of that. It's just that if you're doing this already for the entire report, I don't see why you can't do it per group! Lots of people have been asking for this for years, and I don't understand why it hasn't been implemented.
I've read a few articles on this topic, but no one has come up with a decent work around. My theory is that Microsoft should be addressing this immediately. This is major functionality that's just plain missing from SSRS and should have been there from the start. If anyone from Microsoft can let us know what's going on with this issue or if anyone would like for me to clarify this further, feel free to let me know.
I have an SSRS report with groups that when exported to excel contains drill-in's (plus marks on left side). The issue I have is that for all the groups in the drill-in, those cells become merged. I want to keep the group drill-in but have the cells UNMERGED. I have heard this can be done with the RDL XML but I don't know what to modify to accomplish this.
I'm trying to set up replication from one SQL server to another.
The publishing server is not a member of a domain and is located in a hosting center (but we have full control over the server). I can set up a Snapshot publication just fine.
The subscribing server is located in another remote location and is a member of a domain. Here I can also set up the subscription without errors.
The errors, I think, comes when the snapshot is about to be created, the error is, on the publisher server:
[298] SQLServer Error: 18456, Login failed for user 'NT AUTHORITYANONYMOUS LOGON'. [SQLSTATE 28000]
And the snapshot is not created.
Is it even possible to set up replication like this. I need to transfer the data from one sql server to another so we have a working "backup" so to speek if the other server does not respond.
I'm having a fight with Reporting Services at the minute when trying to compute an average at the row group level for a value summed in a column group.I have the following column groups:
Year Month Date
And the following row groups:
Region Product SubType (hidden, data at the date level is summed to Product)
At the moment I'm computing the average for SubType for each Date at the Product level (giving a decimal value), so for each day I end up with a nice average, that works. However I am unable to average that average over the whole Year for a Product. The issue being that I'm trying to combine Row Groups (Product) and Column Groups (Date/Year)
select top 15 count(*) as cnt, state from table group by state order by cnt desc
[code[...
Can the above three queries be combined into one and still be fast, if so how?What i am trying to go is an item count, by group, similar to ones Inbox in Outlook.
I have a need to show a row inside a table group to simulate a header row for the data rows inside the group. The table will not have a real header or footer. Thanks for the help.
HiI am new to SQL and am having a problem. I need to fix my query to do the following...2) get a total of the number of rows returned. DECLARE @StartDate varchar(12)DECLARE @EndDate varchar(12)DECLARE @Region varchar(20) SET @StartDate = '01/01/2002'SET @EndDate = '12/31/2008'SET @Region = 'Central' SELECTA.createdon,A.casetypecodename,A.subjectidname,A.title,A.accountid,A.customerid,A.customeridname,B.new_Region,B.new_RegionName FROM dbo.FilteredIncident AINNER JOIN dbo.FilteredAccount B ON A.customerid = B.accountid WHERE (A.createdon >=@StartDate AND A.createdon <= @EndDate)AND (B.new_RegionName = @Region)AND (A.casetypecode = 2)
I'm new to MSSQL 2005 and want to get a summary of a log table. I want to count all the rows for each date based on a DATETIME field called 'post_date' that holds the date and time of each record's creation.
this is the best I can come up with:
Code:
SELECT DISTINCT(LEFT(post_date,11)) AS post_date, COUNT(DISTINCT(LEFT(post_date,11))) AS total_posts FROM log_directory_contacts GROUP BY post_date
The results show each date but the count column ('total_posts') returns '1' for every row even when I know their are more than 1 record on that date.
I have a matrix with two row groups and one column group with about 6 items in it. I have about 2100 rows at the lowewst row group level. This report was built solely for excel export. The first row group has about 20 items and controls the visibility of the other group. When I toggle the visibility of the second row group, how can I make the the header of the first row group copy down for each row of the other row group? The first row group is the Section and the second is Mnemonic.