Domain User Belonging To Multiple Windows Group
Jul 19, 2007
If I have a domain user DOMAINuser1 who belongs to multiple window groups say DOMAINLookupConfigUsers and DOMAINAuditConfigUsers. In sqlserver, I would create two logins - DOMAINLookupConfigUsers and DOMAINAuditConfigUsers and matching users in the database. Then I grant LookupConfig role to the LookupConfigUsers user and AuditConfig role to the AuditConfigUsers user in the database. When DOMAINuser1 logs in, will it have both roles? I try to set this up but it does not seem to work. The domain user only picks up one of the role. Am I on the right track? If not, what is the proper way to grant multiple roles to a user when it belongs to multiple groups and each group has different privileges in the database.
View 4 Replies
ADVERTISEMENT
Apr 5, 2007
I have a root domain and child domain.
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
Any ideas on how to fix this ?
View 1 Replies
View Related
May 20, 2014
I have been struggling with this one for awhile now.I have a domain group which only must view the steps and history of all agent jobs.I have added the group to the sqlagentreadergroup.I have created a new role and denied this role,add job,update job,delete job etc execute permissions.But the user still can change ,delete or create a new job.
All the groups and users in th new role,does not have sysadmin rights.
we have sql 2012 enterprise version
What else can i try.I need this for audit purposes.
View 7 Replies
View Related
Sep 16, 2007
Hi!
I have a SQL 2000 database that has several tables with the same name but with different users/logins.
Example:
Database "Customers"
Table Customer with user / login CompanyA
Table Customer with user / login CompanyB
Table Contact with user / login CompanyA
Table Contact with user / login CompanyB
I need to split these into two different database's
Database "CustomersA"
Table Customer with user / login CompanyA
Table Contact with user / login CompanyA
Database "CustomersB"
Table Customer with user / login CompanyB
Table Contact with user / login CompanyB
Any good idea how to do this?
Ingar
View 5 Replies
View Related
Jun 18, 2007
Hi
In our sql server we have around 40 windows group.
Say a Windows user = "X"
This X user does not have a direct windows login, he is present in one or more windows groups registered in the sql server.
I need to know throught which group he is logging in.
If I know this , this will help in my auditing process.
Thanks in advance.
Regards
Soorya
View 1 Replies
View Related
Jun 7, 2015
I am setting up security for access of database tables for members in a specific Windows User Group.I want to check in a SQL script if this Windows User group is added and if so, add database users and grant SELECT on specific tables.
I have tried this:
SELECT * FROM master.sys.syslogins WHERE name like '%FoeUsers' AND isntgroup = '1'
but that selects a SQL user or group and not a Windows Group.Is there a way to check if a Windows NT (active Directory) user group exists?
View 5 Replies
View Related
Feb 26, 2006
I have installed visual studio 2005 with sql express. My tutorial book asked me to do the following to be able to use sql.
sqlcmd -S mycomputernameSQLExpress -E
which worked and then I get
1>
where I am to put in
1> sp_grantlogin [mycomputernamemyusername]
2> go
after this i get the error.
Msg 15401, Level 11, State 1, Server mycomputernameSQLEXPRESS, Procedure sp_grantlogin, Line 49
Windows NT user or group 'mycomputernamemyusername' not found. Check the name again.
I used Local System for the user name as that is what I think I am seeing as the right user account.
Help?
View 4 Replies
View Related
Jul 10, 2006
== I asked this question directly to Remus and wanted to share the response to all of those people using this forum ==
We recently moved our database server from SQL Server 2000 to SQL Server 2005. All applications on our intranet development server stay the same [VS.NET 2003], but recently resources in our Dev DB server ran out of space. While doing a thorough investigation, I noticed ERRORLOG file was occupying about 35 Gig of HDD space. I immediately checked SQL Server error log and noticed an entry which says €“
===========================================================================================
Date 7/7/2006 4:45:37 PM
Log SQL Server (Current - 7/7/2006 4:45:00 PM)
Source spid77s
Message
The activated proc [dbo].[SqlQueryNotificationStoredProcedure-5eaf8465-d0cb-4be7-93b6-44bb979dd41c] running on queue BW_Content.dbo.SqlQueryNotificationService-5eaf8465-d0cb-4be7-93b6-44bb979dd41c output the following: 'Could not obtain information about Windows NT group/user 'BWCINCHoffK', error code 0x534.'
===========================================================================================
What is this SqlQueryNotificationService in my database? Is it a SQL Server 2005 thing? Why the same kind of stored procedure does not exist in other databases, but BW_Content? This error is getting repeated most probably every second and is filling up our server.
I believe our corporate IT people removed our domain accounts from BWCINC domain to BWCORP domain and probably some application which is using BWCINCHoffK credential is getting errored out. I tried to locate this application and was not successful.
Is there anyway that I can stop this ERRORLOG from growing? How can I delete these log entries so that I can make space on our Hard Drive? Is there an easy way in SQL Server 2005 to locate which application is creating this error?
Response from Remus:
The 'SqlQueryNotificationService-...' is the service created by SqlDependency when you call SqlDependency.Start (). The problem you describe appears because the 'dbo' user of the database is mapped to the login that originally created this database. The SqlDependency created queue has an EXECUTE AS OWNER clause, owner is 'dbo' and therefore this is equivalent to an EXECUTE AS USER = 'dbo'. The error you see is reported by the domain controller when asked to give information about the original account 'dbo' mapps to (that is, BWCINCHoffK'): Error code: (Win32) 0x534 (1332) - No mapping between account names and security IDs was done.
To solve the issue, change 'dbo' to match a correct login, using either sp_changedbowner or ALTER AUTHORIZATION ON DATABASE::[dbname] TO [somavalidlogin]
To find the databases that have this problem, run this query:
select name, suser_sname(owner_sid) from sys.databases
The databses that have the problem will show NULL on the second column.
A similar problem is described here: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=65711&SiteID=1
To remove the entries, use sp_cycle_errorlog to force a new errorlog file, then delete the huge log file.
---------------------------------------
I executed ALTER AUTHORIZATION ON DATABASE::[BW_Content] TO [sa];
I got this error in SQL Error Log once and the growth of ERRORLOG was stopped.
===============================================================
Date 7/10/2006 1:16:55 PM
Log SQL Server (Current - 7/10/2006 1:17:00 PM)
Source spid20s
Message
The query notification dialog on conversation handle '{6BDE95F7-0EFB-DA11-9064-000C2921B41B}.' closed due to the following error: '<?xml version="1.0"?><Error xmlns="http://schemas.microsoft.com/SQL/ServiceBroker/Error"><Code>-8490</Code><Description>Cannot find the remote service 'SqlQueryNotificationService-c15bb868-ed56-47d2-bf91-ce18b320989a' because it does not exist.</Description></Error>'.
===============================================================
Should I be concerned about this error?
Thanks
-Binoy
View 20 Replies
View Related
Sep 28, 2007
Hi,
We have the followoing:
-A "master domain" AD, a "sub domain" AD, a trust relationship between the two (sub trust master)
-A sql server 2005 on a win server 2003 in "sub domain" AD
-A linked server to "sub domain" AD
-A linked server login using a "sub domain" admin acccount
-A view to this linked server
-A grant on masterDomain/Domain Users to the database
-A grant on subDomain/Domain Users to the database
-We want all connections done through "Windows Authentication" not "Database Authentication".
Queries on the view work fine using "sub domain" user accounts.
Queries on the view fail using "master domain" user accounts (including master domain admin accounts)
"Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."
All connections are done through "Windows Authentication" not "Database Authentication".
Can we establish cross domain connectivity with "Windows Authentication" ?
Below are details of the implementation:
SELECT TOP (100) PERCENT *
FROM OPENQUERY(ADSI,
'SELECT displayname, givenName, sn, cn (etc...)
FROM ''LDAP://OU=PEOPLE,DC=subDomain,DC=com''
WHERE objectCategory = ''Person'' AND objectClass = ''user'' ')
EXEC sp_addlinkedsrvlogin @rmtsrvname ='ADSI', @useself='false',
@rmtuser='subDomainAdminAccnt', @rmtpassword='sunDomainAdminAccntPassword';
In SQL Server Mngt Studio in Server Objects/Linked Servers/Providers/ ADSI properties security tab I have:
"connections will: <be made using this security context> Remote login:'subDomainAdminAccnt' With password: 'subDomainAdminAccntPassword'
Error:
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation.
Msg 7320, Level 16, State 2, Line 1
Cannot execute the query "SELECT displayname, givenName, sn, cn
FROM 'LDAP://OU=PEOPLE,DC=subDomain,DC=com'
WHERE
objectCategory = 'Person'
AND objectClass = 'user'
" against OLE DB provider "ADsDSOObject" for linked server "ADSI".
View 7 Replies
View Related
Jan 5, 2008
I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.
Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.
Why does SQL server 2005 has this limitation? Is it a bug?
View 1 Replies
View Related
Sep 26, 2006
I'm trying to run a test from my test environment which is a non-domain Windows 2000 server to access my domain 2003 with SQL2005. I have install 2005 tools to try to access the SQL server.
- I have try following the KB265808 - no success.
- Reading alot of blogs and it seems all are pointing to the same problem. "Remote access" but the settign is enabled.Error Message:
TITLE: Connect to Server
------------------------------
Cannot connect to ardsqldatawh.
------------------------------
ADDITIONAL INFORMATION:
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=53&LinkId=20476
Question: Could Windows 2003 security be blocking access? I'm using sa account to access.
Also, sa account does not seems to work for remote access. It is ok when accessing locally.
Any help would be appreciated.
949jc
View 1 Replies
View Related
Sep 25, 2003
I have a user in SQL Server with a NT login of Mike
I changed his NT account to Mikel in User Manager
Now when I try to add Mikel, Im getting error 15401.
Do I need to delete NT login in SQL Server 'Mike' account first ?..before adding 'Mikel' ?
Can I go into the Master database and just change Mike login to Mikel ?
Thank you
View 3 Replies
View Related
Jul 16, 2007
Hi,
I have a client running in a Domain A and a SQL server running in Domain B using Windows security. We don't want to put SQL Server in the mixed authentication mode.
I created a local group on de SQL server. Gave the group correct rights.
Added users from Domain A to that group. Although he prompted me for username password from Domain A it did work.
There is currently no trust between those domains. What kind of a trust should it be ? I believe that a one way trust where B trusts A should be enough.
Any suggestions.
CE
View 1 Replies
View Related
Jan 29, 2007
Hi:
I am trying to figure out if there is a way to connect via SQL Server Management Studio to a server sitting on a separate domain. So here is the situation. there is Server B which sits in a domain called DomainB. If I am in DomainA, I could typically remote into that server utilizing an IP address in DomainB, and even transfer files to that server. But how do I connect via SQL Server Management Studio(basically login as a different domain user) to Server B in DomainB from DomainA. Basically when I choose Windows Authentication from the dropdown list in SQL Server Management Studio, it grays out the username field, which is where I could type something like this domainBusernameondomainB, similar to how you would connect to a share on that server. Please let me know if there is a possibly solution to this. Also, our customer doesnot allow SQL Server Auth/Logins, so that is not an option. Thanks.
View 24 Replies
View Related
May 30, 2007
We're building out a new SQL cluster and I'm working with our AD team to develop a secure environment using Windows Authentication only. I have created three "Global AD Groups" SQL Admins, SQL Read Only, SQL Service Accounts". The AD guys receive a request to add users to the groups and the DBA's grand SQL rolls to the accounts which map through the groups. So, in SQL security the 3 groups exist with the Admin group being assigned to the SA SQL roll. The DBA's have their AD domain accounts added as members to the SQL Admins group and that group is added to SQL as with the "SA roll".
The real question :-)
We use service accounts s-application to connect our application boxes to their respective SQL databases. If the service Global Group exists in SQL Logins, and the AD account is a member of the Group how would the DBA's grant "database rolls" to the AD accounts in the group? Wouldn't they just issue GRANT statements? I've detailed our setup better bellow.
SQL Admins Container
- SQL Admins
- AD Account
SQL SERVER
- SQL Admins Container (Granted SQL server SA Roll)
Database
- AD account (Granted DBO rights)
View 1 Replies
View Related
Dec 17, 2007
Hello ppl
We have a Windows server that has 64-bit SQL installed on it. It is placed in 'abc' domain right now.
Now I have to get that changed to 'xyz' domain. I know that Windows people can take care of this, but my question is do we have to worry about the SQL Server that's already installed on that server? Will it have any affect on that?
Thanks
Satya
View 2 Replies
View Related
Apr 28, 2008
We have a SQL 2005 box that requires windows authentication but I have to connect a laptop that is not part of the domain. Is there any way to do this? Per company policy, the SQL server cannot be changed to use SQL Auth AND Windows Auth. Also per policy, the user's laptop cannot be joined to the domain since it's not a company laptop.
I've tried using the following command:
net use \SQLServerNameipc$ /user:DomainNameDomainAccount Password
and then using enterprise manager to register the sql server but it still says that the computer is not trusted.
Is there something else to this that I am missing or is this just not possible?
Thanks in advance for the help.
View 2 Replies
View Related
Nov 8, 2006
Hi
We are planning implementation of a currently Sybase db. The users (about 3600) will be i 5 domains and we want single sign-on through trusted connections. We want to use the database roles to define different user access on databases and tables. There will be around 2000 roles. We also want to add the users directly to the database roles without having to grant each user database access.
So I thought that I could add the user groups from all domains and then add each domain user account to specified database roles. Am I right here or what? The Windows authentication will lookup or check the users kerberos ticket during logon process and allow logon.
The documentation here is weak and I assume it's a windows authentication question but wondered if any of you guys had been down the same road.
For creating the groups I have the following options:
Create a domain group and put all the usergroups from the other domains in this group
Add user groups from all other domains directly into the SQL Server.
Any recommendations here?
View 3 Replies
View Related
Dec 17, 2007
Hi
We have a Windows server that has 64-bit SQL installed on it. It is placed in 'abc' domain right now.
Now I have to get that changed to 'xyz' domain. I know that Windows team can take care of this, but my question is do we have to worry about the SQL Server that's already installed on that server? Will it have any affect on that?
Thanks
Satya
View 1 Replies
View Related
Apr 4, 2007
I have a problem and I dont have an idea to solve it. I work with SQL Server and my students on Faculty of Information Technology.
I have create SQL Server login for domain group of users (about 60 od them). That mean I have SQL Server login like this DomainUsers
To whole group of users I had grant server role (dbcreator). I dont wish to import 60 login one by one and gice that permision.
Ok, student can create database without any problems
But, when they try to create database diagram (expanding database diagram node). They get a message that database need to have a valid owner (Hmm..ok its not a big deal to do it)
Quick check to some of database (Right click-->properties-->General-->Owner (ther is a DomainUserName (not name of group)..and that is ok
(Right click-->properties-->Files-->TextBox Owner. I try to enter same DomainUserName from step 5. But I get this message
TITLE: Microsoft SQL Server Management Studio
------------------------------
Set owner failed for Database '1110_EvidencijaKnjiga'. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Set+owner+Database&LinkId=20476
------------------------------
ADDITIONAL INFORMATION:
An exception occurred in SMO. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&LinkId=20476
------------------------------
The login 'DomeinUserName' does not exist on this server.
------------------------------
BUTTONS:
OK
------------------------------
This is wired. Ok I know that that user is not login but group is. Step 5 show that user, but step 6 have empty owner options and dose not allowe me to enter same user.
How to fix this?
Thank you
View 3 Replies
View Related
Sep 17, 2007
Greetings,
I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomaingrpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.
However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomainandy) to the folders, he can see them and execute the reports.
After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.
Any ideas?
Rob
View 7 Replies
View Related
Feb 28, 2008
Hi,
I have some problem about adding domain group to reporting service.
At first, I create my report folder on report manager. Then I edit item security to this folder. I click "New Role Assignment".
Then I enter "domainmydomaingroup" to "Group or user name" textbox, and check "Browser" role. Click Ok.
But there is error occurs,
The user or group name "domainmydomaingroup" is not recognized. (rsUnknownUserName)
But if I enter directly to domain user such as "domainuser1", that is Ok.
How can I do to solve this problem?
Thank you very much.
View 1 Replies
View Related
Oct 24, 2007
Hi am
i am facing problem adding a domain group to the reporting services.
while setting the security of a report, i am getting the rsUnknownUserName error while adding a domain group.
the group is valid and it does exists. i tried creating a windows group on the machine running reporting services and tried adding the domain group and it accepted. but the reporting services is not accepting.
can somebody tell me whats the problem with this.
i am able to add other domain group belonging to the same domain and the SSRS accepts but not this particular domain group which is like any other domain group.
View 3 Replies
View Related
May 22, 2008
Hi everyone, We currently have a server running SQL server 2000 and 2005 instances on our domain. The servers are used for a couple of different applications. Our network manager is implementing a domain change in the next few months, but isn't familiar with SQL servers. I was wondering if anyone knew about any possible issues with changing the domain the database server machine is connected to. The computer name won't change, and neither will the server instances. Many thanks in advance for any ideas / help on this
View 6 Replies
View Related
Jul 23, 2005
Hi,I have a peculiar problem (or maybe not). I have SQL clients installedon XP boxes. These XP boxes are a member of let us say "XYZ" domain.SQL Server is installed on one of the boxes having Windows 2000 Serverin the same network. The installation has been done on local domainaccount. Since SQl Server has been installed with Windowsauthentication, what happens if the XYZ domain fails. Will it bepossible for all clients to access the database present on SQL Serverin the Win 2K box. I think I have made myself clear upto some extent.Please throw light on how to accomplish the connectivity between SQLclients and server in case of domain failure.Regards,Vinodi
View 2 Replies
View Related
Jul 20, 2005
Hi,I'm planning to develop a small intranet to provide our organizationwith documents online. I've decided to do this using jsp/servletsusing a tomcat server. For an operating system, I have chosen red hatlinux. However, I'd like to keep a small database on a sql server asa datasource. However, this sql server is already part of ourorganization's windows domain. I suspect I'll need to configure sambaso that other terminals on the windows domain will be able to reachthe intranet. What's the best manner in which to connect my linuxservlets to this sql server database? I suspect this may bedifficult, considering the sql server exists within a windows domain,but as a beginner, what do I know. Perhaps someone could point me inthe right direction.
View 4 Replies
View Related
Feb 24, 2007
If my SQL Server authentication is windows integrated authentication, whenever my application makes a connection to SQL server does it contact the windows active directory domain controller to authenticate the windows user account? How does windows integrated authentication work in the background?
View 9 Replies
View Related
Oct 23, 2007
I am trying to connect as follows:
Server: Windows 2003, SQL 2005, on a domain
Client: Windows 2008 Beta, not on any domain
I created an account with the same user name as the domain user on the client machine. And then I logged in as that user and went to Manage Network Password. I entered the correct domain credentials. Verified that this worked for file shares. However, SQL does not appear to be recognizing this and it tells me:
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
I have verified that this domain account is working properly with SQL when the client is also on the domain.
How can I get this Windows authentication scenario to work where the client is not on the domain and the SQL server is on the domain?
View 5 Replies
View Related
Feb 13, 2007
Hi There
I have service broker working 100% with an initiator - forwarder - target, all in the same domain using windows authentication on the endpoints, for all instances' the sql server service run under the same domain account, which in turn is granted connect on the various endpoints. This all works 100%
However i have a scenario where the initiator will be in a different trusted domain.
I need to know if i am correct in thinking that the initiator sql server servcie account can run under DomainAsqlservice, the target instance sql server servcie can run under DomainBsqlservice, then on the forwarder i simply grant connect on the forwarder endpoint to both DomainAsqlservice and DomainBsqlservice.
Is this correct, will this work?
Thanx
View 6 Replies
View Related
Nov 16, 2006
Greetings,
One of my users gets the following error when he tries to connect to my SQL Server 2000 database using windows authentication via Query Analyzer:
[Micorsoft][ODBC SQL Server Driver][SQL Server] Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
Me and the server are located in Colorado and are on the NADomain. User is in London on the EURDomain. The EURDomain has a one way trust to the NADomain to use NADomain resources. I have granted access to the database to the user via Enterpise Manager as EURDomainuserid. All the literature I've read says this should be sufficient to connect but isn't. User can connect with SQL Server authentication. Users on the NADomain in Toronto can connect just fine with Windows Authentication. EURDomain user can access other file server resources in the same building as the SQL Server in Colorado.
SQL Server version is:
Microsoft SQL Server 2000 - 8.00.818 (Intel X86) Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
EURDomain Client ODBC version is 2000.85.1022.00 and MDAC is 2.8.
Any help is greatly appreciated.
View 5 Replies
View Related
May 17, 2007
I am currently runinng Sql Server 2000 on a Windows 2003 domain controller. I cannot access my local sql server using windows authentication. All i receive is a cannot generate SSPI context error. I understand this is probably related to a security policy issue on the domain controller. Also Sqlserveragent service will not remain running and shutdowns immediately after it is started. This also produces an SSPI context error in the error log. If anyone can help with my configuartion of windows server 2003 such that sql server will recognize a valid sysadmin role for my domain admin account it would be greatly appreciated.
View 1 Replies
View Related
May 21, 2007
The title says it all. Given that I have created a login for a domain group, and a database user for that login. What I want to do is retrieving the domain username for the active user. USER_NAME retrieves the database username, suser_name returns (of course) NULL as this is not a sql user.
The goal is to use domain group logins, while still allowing for logging what user performed which action.
View 1 Replies
View Related
Dec 27, 2006
This question is regarding a brand new out-of-the-box SQL Server 2005 Workgroup Edition install. The old SQL Server 2000 server is working properly with regard to the issue we're having:
We are using Windows Authentication, and have created SQL logins for about
40 different groups on our domain. We've given those logins the appropriate
permissions on the databases they're supposed to be able to access.
The SQL Server is not a domain controller, but is a member of the domain, and domain logins do work for Windows-login purposes on this box.
The problem is that when users try to connect to the SQL server, they are denied access. An error 18456 is thrown, and logged in the Application event log
stating "Login failed for user OURDOMAIN heuser" (example values). The
domain user is properly a member of group added as a login to SQL Server, and we've
confirmed that there are not conflicting permissions that would deny those
users access via another route. These same groups are working fine on the SQL Server 2000 box.
This is only a problem for domain-based groups. If we create a local group
on the SQL server machine, through Computer Management -> Local Users and
Groups, then make the same domain users a member of THAT group, and finally then
follow the same process to add that local group to SQL Server Logins and set
the database privileges, it works!!
Our group memberships change frequently, and are used for a lot more than
just SQL server permissions. So, using local groups and maintaining
membership in both places is not really feasible. Any ideas why a local
machine group containing domain user accounts would work fine, but a domain
group containing the same accounts would not?
Thanks in advance.
View 20 Replies
View Related