Hey guys. I'll have an active/active cluster and seperate accounts for SQL Services and Cluster service. The question is what rights should the cluster account have in SQL if I've removed the 'builtin admins' from SQL? Thank you
I am getting the error: Cannot open database "aspnetdb" requested by the login. The login failed. When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003. I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at. My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions? I'm using Windows Authentications with the SQL Role provider for authorization.
Thank you.
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role. Is that correct?
I'm creating one of my first asp.net pages, and it accesses an MS SQL database.It runs fine locally, but if you go to it remotely through a web browser, you get an exception saying that the database login failed for user ASPNET.My brother told me to do the following in SQL Server Managment studio. It seems I don't have that program installed, so I did it from the SQL command prompt.CREATE LOGIN [bigblueASPNET] FROM WINDOWSuse AdventureWorkscreate user [bigblueASPNET](Where "bigblue" is the computer name and "AdventureWorks" is the database my asp.net web page reads from).This only partially fixed the problem - now when you open the page remotely and try to access the DB I get an error message saying that permission to use the SELECT command is denied.I searched on these forums, and found this:http://forums.asp.net/69166/ShowPost.aspxFor future reference, let's call what my brother told me "Method 1" and what the previous poster did as "Method 2."I haven't tried method 2 because I don't know exactly what I am giving ASPNET permission to do. Does method 2 enable ASPNET to do anything to any database? It seems method 1 is more secure, as from the commands I could already tell it only has permission to access AdventureWorks.So, I'd prefer to use method 1. Can anyone tell me what further commands I can use to give ASPNET permission to do specific actions?If I can't figure out method 1 and have to do method 2, how can I undo what I did in method 1?Thanks!
Hey guys. I've an application which uses an account named Uaccount1. I've given it db_datareader and db_datawriter permissions to the tables. I've given it execute permissions to all sp's I've given it reference permissions to the symmetric key. And I gave it reference permissions on the certificate. At this point, it can't see the certificate. If I give control permission to the account for the certificate, it works perfect. Is it necessary to do that or am I missing something. Our security is based on symmetric key and certificates...
Hey guys,I'm pretty new to SQL configuration, and I need to give EXECUTEpersmissions for one of the SQL user roles. I am running SQL 2005Management Studio Express - free version. I found the list of mystored procedures, but I can not locate any permissions screen. Cansomeone help point me in the right direction? Thanks!
I created a new login and then created a new user [COM] in DB with default schema pointing to [COM]
I created then schema [COM] WITH AUTHORIZATION [COM]
I want this [COM] user to have all permissions it needs on [COM] schema only. How do I do that? When I try to create table [Com].Table it gives me permission denied.
After SQL Server 2005 Database Engine is installed by domain administrator, how to give permissions to a regular domain user so that user can control SQL Server Database service?
I just set up a SQL 2005 Server about a month ago that we will be moving all of our scattered DBs onto. I basically set it up with the default settings and didn't touch anything special, until I tried to install Microsoft System Center Essentials 2007 in our environment. I had problems getting it to use our SQL server, and a forum post told me to change all of the service accounts for SQL to use the LocalSystem login. So here are my service accounts:
SQL Server Integration Services - NT AUTHORITYNetworkService SQL Server FullText Search (MSSQLSERVER) - LocalSystem SQL Server (MSSQLSERVER) - LocalSystem SQL Server Analysis Services (MSSQLSERVER) - LocalSystem SQL Server Reporting Services (MSSQLSERVER) - LocalSystem SQL Server Browser - LocalSystem SQL Server Agent (MSSQLSERVER) - LocalSystem
So Sandisk makes this software called CMC. It's for controlling their enterprise USB drives. And their software won't install. It errors out saying that it couldn't drop the database on our SQL server (but it doesn't exist). If I make an empty DB by the same name, it sees it, and then errors out anyway. I am using the SA login for testing (I was using a purposed SQL account before) so I don't think it's a rights issue. Sandisk says it should work, and they suggested I use SQL server express. But we run VMs, and running SQL server in another VM is going to use more of our memory pool. Plus we want centralized backups and all that.
Do my service account logins have anything to do with it? Can someone tell me what these should be set to by default so I can change them back?
Here's a trace I did when I tried to install the software:
-- network protocol: TCP/IP set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed
set implicit_transactions on go drop database [CruzerDb] go IF @@TRANCOUNT > 0 ROLLBACK TRAN go
And here's more info if needed:
Product Version - 9.00.3042.00 Edition - Standard Edition Server Collation - SQL_Latin1_General_CP1_CI_AS Is Clustered - No Is FullText Installed - Yes Is Integrated Security Only - No Is AWE Enabled - No # Processors (used by instance) - 2
Hi, I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far.. On the machine that is the Domain Controller: - installed SQL 2005 as a domain admin
- created a domain user account using Active Directory Users and Computers. This user is only
"Member of" domain users; not any Administrators group.
- added this user to SQL Server Management Studio->Logins and in Server Roles assigned
sysadmin role. Question 1: Do I need to give any additional permissions to this user to work with SQL? Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql? Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
If we were to assign permissions to a backup agent such as Backup Exec to backup the databases on the SQL server, what role would give the least amount but sufficient permissions to perform the backup? I know domain admin would make the agent a local admin and therefore allow it to back up the database but is there a role available to allow backup only?
Please note that I'm referring to a domain account used by Backup Exec to directly backup the databases rather than sql server agent.
We are trying to configure registry settings to allow sql server service to run on a service account in SQL Server 2005. The registry has changed quite a bit from SQL 2000, and we are missing a setting in the software keys that causes sql server service not to start. If we apply permissions to all of HKEY_LOCAL_MACHINE/SOFTWARE, then the service starts, however company security policies do not allow this. Are there any specific keys we should look at, other than the obvious Microsoft/Microsoft SQL Server and Microsoft/MSSQL keys, in which we have already granted permissions to the service account?
We have a N+1 SQL 2005 x65 SP2 + 3159 cluster which was running fine until the service account which runs Windows cluster and the SQL services was removed as a login from SQL. This was a new setup so the only SQL accounts are (SA) as SA, Windows Domain GROUP's which one group is configured as SA and the cluster account is added to this group. I cannot start SQL service on the cluster now. I've tried logging into one node as the service account which is member of a AD group which has SA rights to SQL as well as my personal account. If anyone knows a way ot fix this without reinstalling I'd appreciate your help.
The account i setup to access the db in Sql 2005 Proper on the Production serve is Represented by the name in the above example as “aspuser�. I created this user in security, logins. And I gave permissions to this on the Db level “create procedure delete, select, update insert.�
I get a error when i run the page in the browser that says “login failed for aspuser.�
I know virtual directory is configured properly. I can run aspx page in the directory with out a db connection, without and error.
If you were to do a fresh install it would set permissions on the disk so everything just works.
Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
Hello! I have the following problem. I developed CLR Stored Procedure "StartNotification" and deploy it on db. This sp calls external web service. Furthermore, this sp is called according with SQL Server Agent Job's schedule. On my PC SQL Server works under Local System account and this web service is called correctly (Executed as user: NT AUTHORITYSYSTEM). But on ther other server the following exception is raised during job running: Date 17.04.2007 16:42:10 Log Job History (FailureNotificationJob)
Step ID 1 Server MSK-CDBPO-01 Job Name FailureNotificationJob Step Name MainStep Duration 00:00:00 Sql Severity 16 Sql Message ID 6522 Operator Emailed Operator Net sent Operator Paged Retries Attempted 0
Message Executed as user: CORPmssqlserver. A .NET Framework error occurred during execution of user defined routine or aggregate 'StartNotification': System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException: at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.Net. The step failed.
What is the reason of this behaviour? Unfortunately I do not have direct access to this server. I have the following guesses: 1) CORPmssqlserver may have not enough permissions to call web service 2) Something wrong with SQL Server account's permissions 2) Something wrong with SQL Server Agent account's permissions I will take the will for the deed. Thanks.
I have been running a script in SQL Server 2000 as sa also as a Active Directory user who has administrator rights (I tested both approaches SQL Server then Windows Authentication) in Query Analyser which grants execute rights to the stored procedures within the database instance and Query Analyser does not give any errors when I run the script. I have made sure that each transaction has a go after it. I then return to Enterprise Manager, check the rights (I apply them to roles so that when we create another SQL Server user we just grant him/her rights to the role) and discover that the role has not been granted the rights. I seems to be occurring only with 2 of the procedures. Is there a known bug that might be causing this?
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account they fail with this error. " Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
During the installation of Adding node to a SQL Server failover cluster(On passive node) getting error like.. The MOF compiler could not connect with the WMI server. This is either because of a semantic error such as an incompatibility with the existing WMI repository or an actual error such as the failure of the WMI server to start.We  run the below commands but didn’t get any resolution & got the same above error .  1<sup>st</sup> Method…
1. Open console command (Run->CMD with administrator privileges).Â
2. net stop winmgmtÂ
3. Rename folder %windir%System32WbemRepository to other one, for backup purposes (for example _Repository).Â
4. net start winmgmt
2<sup>nd</sup>Â Method..
1. Disable and stop the WMI service.
a) Command : - sc config winmgmt start= disabled
b. Command : - Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â net stop winmgmt
I am in the process of moving databases from a SQL 2005 Standard version to a 2-node 2014 cluster.All of my 2005 databases back up successfully.They all restore without issue except for one database that has a full text catalog. I get this message
Msg 7610, Level 16, State 1, Line 2 Access is denied to "fileStoragedataMSSQLSERVERFullTextCatalog", or the path is invalid. Msg 3156, Level 16, State 50, Line 2 File 'sysft_FTCatalog' cannot be restored to 'fileStoragedataMSSQLSERVERFullTextCatalog'. Use WITH MOVE to identify a valid location for the file. Msg 3119, Level 16, State 1, Line 2 Problems were identified while planning for the RESTORE statement. Previous messages provide details. Msg 3013, Level 16, State 1, Line 2 RESTORE DATABASE is terminating abnormally.
[code]....
I went as far as giving the folder full access to everyone temporarily and received the same error.
Can I build a cluster by adding the cluster service, then the SQL instances, then add the other nodes and their passive SQL instances?I would lean to building the cluster first, the add the SQL instances.
I have following script which i am planning to run to drop all non-clustered primary keys on a database and then created as clustered. I am using someone else's script so don't know how to modify this. Some of primary key columns are used in references in other tables.
is there anyway i can drop the existing primary keys and using their original script then create again as clustered including restoring all foreign and reference keys and unique or no unique.
DECLARE @table NVARCHAR(512), @tablename NVARCHAR(512), @sql NVARCHAR(MAX), @sql2 NVARCHAR(MAX), @sql3 NVARCHAR(MAX), @column NVARCHAR(MAX); DECLARE @indexname NVARCHAR(512); SELECT name As 'Table'
We are planning to change all IPs of PRODUCTION Failover Cluster Setup. In my cluster setup ... we have 2 Physical Nodes with windows-2008, Roles are MSDTC and SQL-2008R2.
IP change for:
1. Both Nodes(Physical) 2. MSDTC 3. SQL Server 4. windows ClusterÂ
So Almost... All IPs are going to change.
Im DBA here, I need to take care of SQL cluster and MSDTC. But I haven't performed this activity before.So I'm worrying about Impacts and consequences of this change. steps how should I perform this activity.