SQL Security :: Domain Migration Altered SA Or Domain Admin Access To DBs
Jun 19, 2015
we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any  password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.
View 6 Replies
ADVERTISEMENT
Jun 12, 2015
Is SQL Server sensitive to Domain group name? Like "Domain Admin"?
I have user that belong to "myDomainDomain Admin" group. Group is in SQL as sysadmin but user cannot login using domain credentials. When I move that user to a different domain group which that group is in SQL again as sysadmin my user is able to login.Â
Environment: SQL 2008 Standard Edition.Â
View 12 Replies
View Related
Sep 28, 2007
Hi,
We have the followoing:
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master)
-A sql server 2005 on a win server 2003 in "sub domain" AD
-A linked server to "sub domain" AD
-A linked server login using a "sub domain" admin acccount
-A view to this linked server
-A grant on masterDomain/Domain Users to the database
-A grant on subDomain/Domain Users to the database
-We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts.
Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT *
FROM OPENQUERY(ADSI,
'SELECT displayname, givenName, sn, cn (etc...)
FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com''
WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
EXEC sp_addlinkedsrvlogin @rmtsrvname ='ADSI', @useself='false',
@rmtuser='subDomainAdminAccnt', @rmtpassword='sunDomainAdminAccntPassword';
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error:
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".
View 7 Replies
View Related
Sep 6, 2007
We are using Win2k3 R2 with SQL 2000 in a domain environment.
Is it possible to create a domain group to grant admin level and user level access to SQL2000/2005 without giving users server admin or domain admin access?
It has always been my impression that to have admin access to SQL that you had to at least had admin level access on the server.
Any clarification would be greatly appreciated.
Thanks!
View 1 Replies
View Related
Sep 26, 2006
I'm trying to run a test from my test environment which is a non-domain Windows 2000 server to access my domain 2003 with SQL2005. I have install 2005 tools to try to access the SQL server.
- I have try following the KB265808 - no success.
- Reading alot of blogs and it seems all are pointing to the same problem. "Remote access" but the settign is enabled.Error Message:
TITLE: Connect to Server
------------------------------
Cannot connect to ardsqldatawh.
------------------------------
ADDITIONAL INFORMATION:
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=53&LinkId=20476
Question: Could Windows 2003 security be blocking access? I'm using sa account to access.
Also, sa account does not seems to work for remote access. It is ok when accessing locally.
Any help would be appreciated.
949jc
View 1 Replies
View Related
Jul 25, 2012
We have a network setup with two domain controllers, DC1 and DC2, working independently from eachother along with a DBserver1 that runs a BCM database and is a member of DC1. For certain reasons we would like to demote the DBserver1 and join it on the domain of DC2. What are the steps required in order to properly move a BCM Database running on SQL2005 to a new domain, where the security data lies in the active directory of DC1?
View 1 Replies
View Related
Feb 15, 2007
I am trying to migrate users accounts from a 2000 Server to 2003 server I am changing domain names and the new domain a is a child domain off a parent domain. I have created a trust on both domain servers and the parent domain and I have created administrative users on each domain I am using the ADMIT migration tool and can get all the way through it then get an access denied when it trys to create the accounts. The knowledge bases on this say I need a Domain Admin user on each domains for the other domain. Being in a child domain it does not let me create this I have created users and added the admistrative group for each user this should give the rights to create the users on the new domain, but still am getting the access denied.
Does anyone know what I am missing on this? Any help would be greatly appreciated.
thanks,
Shawn
View 3 Replies
View Related
Oct 12, 2007
Here's the situation we're facing. Our organization is going to consolidate into a single domain. The plan of action is to disband the old domain, and create an all new domain. Most of our servers will also be renamed in the process.
We've got something of a two-server setup, with one machine handling SQL Server, and the other hosting various intranet sites, including Reporting Services 2000.
SQL Server itself shouldn't be a huge problem to migrate - the machine only has about half a dozen Windows logins set up. In my experience, though, Reporting Services is a much more fragile animal. Just getting it up and running on Win2003 SP1 and coexisting with ASP.NET 2.0 was enough of a stunt already. What will I have to watch out for to make sure this doesn't completely hose our installation? Would it be too optimistic for me to hope that I'll just have to reconcile any domain service accounts, change the connection string for the report server catalog database, and be done with it?
View 1 Replies
View Related
Feb 21, 2007
Hi friends,
We have a problem with our RS2005 after migration into another domain.
The problem is that we have got duplicate access rights for the same AD usergroup.
When trying to remove or add a new AD group we get the error msg - "... role assignment is not valid. The role assignment is either empty or it specifies a user or group name that is already used in an existing role assignment for the current item. (rsInvalidPolicyDefinition)"
Books online gives no answers and neither does other serach engines .....
Anyone having a hint or solution .......
View 6 Replies
View Related
Apr 5, 2007
I have a root domain and child domain.
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
Any ideas on how to fix this ?
View 1 Replies
View Related
Dec 13, 1999
A couple of newbie questions:
1) Do Domain Admins have SA rights by default in SQL7? If so, is there a way to keep domain admins out of particular databases.
2) Is it possible to create a database or table that even SA can't get into?
Thanks
JD
View 1 Replies
View Related
Nov 6, 2007
Hi ,
We are using SBS2000 with SQL 2000 and Terminal server .
In the Terminal server ,we have an application that connect to sbs (sql) .
The Problem is that User without Domain Admin permission can not modify in database.
How Is it possible to grant full access to SQL2000 without giving users domain admin access?
Thanks ,
Samuel
View 5 Replies
View Related
Sep 10, 2007
Hello,
is it possible to deactivate the groups admins and domain-admins in sql server without getting in trouble with the sql-server. For example when the system boots the program should start normally without any problems.
We want do deactivate the accounts because we have some critical information in sql server and dont want to give all admins the possibility to have a look at these data.
We just want to have sa within the role sysadmin.
Regards
Franz
View 4 Replies
View Related
Jun 9, 2000
I have a server that belongs to domain 'a'. The server is neither a PDC or BDC.
This server has SQL Server 7 installed. I wanted security set up so the
Domain Administrator could select/update rows in the database and administer
the database as well as the local administrator of the Sql Server. From a
workstation the domain administrator can create tables but cannot insert rows.
From the Server in question the domain administrator can create tables and
insert rows. Why does it make a different what box the domain adminstator logs on to?
View 1 Replies
View Related
Nov 10, 1998
We've encountered a problem on one of our SQL servers running integrated security where MS Security Manager errors out with "An error occured executing sp_addlogin using Domain_nameusername - " is not a valid name since itbegins with an invalid character." We think it is because the domain has the underscore character in it name. Can anyone confirm or point to other possible configuration issues?
View 1 Replies
View Related
Mar 6, 2008
Based on our database infrastructure, we need to secure our SQL databases. The security issue concerns on allowing a limited number of Domain Admin users to access the SQL databases.
We tried certain ways, based on the documents in the Microsoft web site, but we couldn€™t reach to the point of preventing the Domain Admin users accessing the SQL databases.
Thanks in advance.
View 5 Replies
View Related
Oct 23, 2007
I am trying to connect as follows:
Server: Windows 2003, SQL 2005, on a domain
Client: Windows 2008 Beta, not on any domain
I created an account with the same user name as the domain user on the client machine. And then I logged in as that user and went to Manage Network Password. I entered the correct domain credentials. Verified that this worked for file shares. However, SQL does not appear to be recognizing this and it tells me:
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
I have verified that this domain account is working properly with SQL when the client is also on the domain.
How can I get this Windows authentication scenario to work where the client is not on the domain and the SQL server is on the domain?
View 5 Replies
View Related
Aug 16, 2005
Does anybody know if it is possible to establish a connection to an sql express instance only with integrated security when this express instance is running on XP which is NOT part of a domain?
View 1 Replies
View Related
Aug 6, 2015
Would it be possible to disjoin the SQL Server Clustered environment to a new domain without having to reinstall the cluster?
disjoin
e.g 2 node activeactive cluster with 4 named instances. SQLserver1.dn.za; SQLserver2.dn.za; SQLserver3.dn.za;SQLserver4.dn.za
servernode1.dn.za; servernode2
re-join them as SQLserver1.dn.ra; SQLserver2.dn.ra; SQLserver3.dn.ra;SQLserver4.dn.ra
servernode1.dn.ra; servernode2.dn.ra
What would be the impact on the servers, will they be able to resolve the new dns.?
View 1 Replies
View Related
Feb 11, 2015
I am running into a weird issue with a new SQL Reporting Services 2014 server I built. I installed SQL Reporting 2014 on Windows Server 2012 R2 and configured Kerberos, but the site is extremely slow. After some reconfiguration and log captures I have determined the issue has to do with the Kerberos setup, however I am running a similar configuration with SQL Reporting Services 2008 on Windows Server 2008 R2 and do not run into the same errors.
The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH. When I drill down the into the error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services, however I still receive the error.
Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name, ECTSTSQLRS5, and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure how to resolve it. Here is some more information about my environment:
DNS/URL used: testprjmnmtreports14.company.com
Server Name (FQDN): ECTSTSQLRS5.company.int
AD Domain Name: company.int
Server Version: Windows Server 2012 R2
AD Functional Level: 2008 R2
As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2. What do I need to do to allow my new site on 2012 R2 to work with this DNS Alias?
View 0 Replies
View Related
Apr 17, 2008
I have DBA that is convinced that they need domain admin rights to install SQL 2005 into an existing cluster. The domain groups and service accounts for SQL have been created already. Is having domain admin rights required during the install of SQL 2005 in a cluster?
View 1 Replies
View Related
Feb 18, 2004
Is there a way to access a SQL Server running on a different domain? I can access the same SQL Server from my machine, which is on a different domain using the ODBC connection, but when I try to access it using an application written in VB6.0 then I get the SQL Server does not exist error. I'm using the SQL Authentication method.
View 3 Replies
View Related
Oct 5, 2007
Hello,
I am seeing a couple of domain/username accounts trying to access SQL 2k5 SP2 and get the error above. The concern I have is these accounts shouldn't be trying to access SQL at all and do not exist is SQL hence the error The question I have is how can I track down what is trying to use this account and connect to sql? Thanks in advance.
John
SQL Server Log:
Message
Login failed for user 'DOMAIN ampbell'. [CLIENT: <named pipe>]
Message
Error: 18456, Severity: 14, State: 27.
View 3 Replies
View Related
Jun 11, 2007
Hi,
We recently upgraded to SQL Server 2005, we've added SSRS to same server. This server is an internal SQL server. I can access to the reports from http://localhost and http://servername/ but how do I access reports I've created from outside of the domain? Does SSRS needed to be installed on an server with IIS and SQL Server 2005 that we can get to from outside? Please help! Thanks.
- stsong
View 5 Replies
View Related
Jul 6, 2001
I want to give a client access to a SQL Server 7 database sitting on a different NT domain without setting up a trust relationship between the two domains. Has anyone tried doing this?
View 2 Replies
View Related
Apr 1, 2008
Hi,
I'm trying to access an SQL server 2005 database over the network. I'm at a client location plugged into their network, but when I log into my laptop I'm not logging into their domain. I have to access their network by typing in the name and password they gave me.
I cannot seem to access the database from my computer. I try to create an ODBC data source in the administrative tools, but the drop down list of detected SQL servers does not show the server I am trying to connect to. The weird thing is, it does show many other SQL servers on their network... just not the one that I'm trying to connect to. And I know that the one I want to connect to is working correctly because if I remote desktop into one of their machines (which is logged onto their domain), I can see it fine in the drop down.
Does anybody know how I can get a connection to this database from my computer, even though I'm not on the domain?
Thanks!
View 5 Replies
View Related
Jun 20, 2008
How to find out whether a domain user has access to sql server or not?
Many domain groups have access to my sql server. I need to check whether a user has access to server or not.
Probably I need to check which windows group the user belongs. This looks more like an o/s question than DB. How do you guys manage this scenario?
------------------------
I think, therefore I am - Rene Descartes
View 4 Replies
View Related
Feb 12, 2008
Hey All,
This is my first time using the forums here nor am I a SQL programmer. I'm trying to help a coworker figure out how to access files from a network share (using a UNC path) from a different domain. Right now we have three domains - Production, Development, and the Local. There is a one-way trust setup with the development and local domains, so using cross domain accounts is easy. Unfortunately, we cannot setup one right now with our production domain to any of the other two domains. Is there a way to pass production credentials from our local or development domain servers to a production server share? Am I even approaching this in the right way? Maybe there is a different method, any help would be GREATLY appreciated!
-Andrew
Network Administrator
View 1 Replies
View Related
Oct 12, 2007
Hi,
I have a quick question regarding domains and workgroups.
Currently I am working on an issue in the office of a small business. Right now there are 3 client computers that connect to a dell server running windows std. server 2003. The server has sql running on it that takes care of the invoicing system. Two out of the three work stations are able to use the database fine, but there is one that is unable to connect to the database. The only different that I could find is that the two workstations that DO work are currently set to use a workgroup, whereas the one workstation that does NOT work is set to use a domain...... I tried switching that computer to workgroup, but then I was unable to login as the normal user that I had always logged in as before.....
What can I do to solve this dilemma?
Any help would be greatly appreciated!
I apologize if this is the wrong forum for this, and if it is, if someone would point me to the correct one I would appreciate it.
Thanks
-steve
View 4 Replies
View Related
Mar 2, 2006
Hi everybody,
I do not know if this is the correct area to post this topic? So, How to access
different sql server with query analyzer? Usually, when to install sql server, it
access the database server locally installed, now I like to access other sql server
within a domain using query analyzer. How to configure this in order I could use
query analyzer to access other sql server within a domain? Thanks in advanced.
den2005
View 1 Replies
View Related
Nov 19, 2015
We have purchased an ERP system from a vendor which uses system DSN for all the reports. The system automatically creates DSN with Sa with SQL Server. The problem is the DSN is not working with AD users.
Active Directory server: Windows Server 2008 32 Bit.
SQL Server: Windows Server 2012 64 Bit. This server is already member of my Domain. e.g. CompDomain.com
What should I need to do in client PCs or Server to avail ODBC to AD users.
View 3 Replies
View Related
Dec 1, 2007
If the net is domain control.
Can we use reporting server as usual?
Or need some special setting about it for protect it working well?
Thanks
View 1 Replies
View Related
Jul 20, 2005
Hi all,it happen to me a strange problem:i have a mdb file (in Access 2K) with SQL Server 2K linked tables whoruns on a workstation which is on a different domain that the SQLServer. It works.If i create a mdb file from a workstation which is a the domain of theSQL Server and then i run it a my non-domain workstation i have errormessage:Login failed for user '(null)'. Reason: Not associated with a trustedSQL Server connectionBut if i reattached my tables it works.If someone have an idea....PS: same ODBC on both machines
View 1 Replies
View Related