Dynamic Script To Add Domain Login Accounts 2000/2005
Jan 18, 2008
I'm attempting to write a script that I can execute accross 30 servers that will create a domain login and subsequently grant access to said account on all databases per server. The only problem that I'm running into is trying to dymanically create the login. Example source is below.
declare @sql varchar(1000)
declare @loginname varchar(50)
select @loginname = 'DOMAINaccountname'
set @sql = 'if not exists (select * from master.dbo.syslogins where name = N' + char(39) + 'DOMAINaccountname' + char(39) + ')' + char(10) + char(13)
set @sql = @sql + 'begin ' + char(10) + char(13)
set @sql = @sql + char(9) + 'exec master.dbo.sp_grantlogin ' + quotename(@loginname)
print @sql
exec (@sql)
Here is the generated output and the error. Any suggestions would be appreciated.
if not exists (select * from master.dbo.syslogins where name = N'DOMAINaccountname')
begin
exec master.dbo.sp_grantlogin [DOMAINaccountname]
Msg 102, Level 15, State 1, Line 3
Incorrect syntax near 'DOMAINaccountname'.
View 4 Replies
ADVERTISEMENT
Aug 12, 2015
I cannot get a consistent answer as to how many domain accounts would be suggested in a SQL Server 2014 installation. Previously the recommendation was a separate account for each service to provide isolation and minimum permissions for each account. It seems from what I've read that a single domain account would have something added to make it unique from SQL Server's perspective. Several still advocate multiple accounts. I don't know if they are doing so because that's the way it's always been done or if there is still some compelling reason to do so. I don't want to create unnecessary accounts simply because something is "ideal."
View 8 Replies
View Related
Jul 12, 2006
Hi There
Currently we run a certain instance , agent under local system on a server.
I want to create specific domain accounts for the sql server service and agent, now i know that one should create these accounts with the least priviledge for security reasons.
cannot find the topic in BOL, can some please give me the BOL topic or a link to exactly what the least priviledge is for the domain accounts for sql server services.
Thanx
View 4 Replies
View Related
Apr 5, 2007
I have a root domain and child domain.
After using ADMT to migrate the domain user or group into the root domain, when I use enterprise manager to try and change the permissions allocated to that domain user/group, i get the 'Error 15401 NT user or Group not found'.
This is a correct error as the user is now in the root domain, however sql (in sysxlogins) still thinks its in the child domain.
Is there a simpler way, other than collecting the users permissions, deleting the user from SQL then adding back in with the correct domainusername format, then adding the permissions back?
I tried renaming the 'name' in sysxlogins (not recommended) and while that worked, whenever I tried to add the migrated user to another database, the login name was missing and would not resolve.
I believe it is something to do with the SID not matching.
Any ideas on how to fix this ?
View 1 Replies
View Related
Dec 19, 2006
Hello,
I'm having a problem using Windows Accounts to login to a SQL 2005 Server.
Here is my setup. The SQL server and web server are separate machines. I'm also not developing directly on the web server.
SQL Server - Windows 2003 Server- SQL 2005- Set to use SQL and Windows AuthenticationWeb Server- Windows 2003 Server- IIS 6.0 - Anonymous Authentication is disabled - Integrated Windows Authentication is enabledApplication web.config:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"><appSettings> <add key="ETR_Environment" value="Dev"/></appSettings>
<connectionStrings> <add connectionString="Data Source=sql-dev-server, 1179;Initial Catalog=ENV_ETR;Integrated Security=SSPI;" name="ETR_Dev"/> <add connectionString="" name="ETR_Prod"/></connectionStrings>
<system.web> <compilation debug="true" strict="false" explicit="true"/> <pages> <namespaces> <clear/> <add namespace="System"/> <add namespace="System.Collections"/> <add namespace="System.Collections.Specialized"/> <add namespace="System.Configuration"/> <add namespace="System.Text"/> <add namespace="System.Text.RegularExpressions"/> <add namespace="System.Web"/> <add namespace="System.Web.Caching"/> <add namespace="System.Web.SessionState"/> <add namespace="System.Web.Security"/> <add namespace="System.Web.Profile"/> <add namespace="System.Web.UI"/> <add namespace="System.Web.UI.WebControls"/> <add namespace="System.Web.UI.WebControls.WebParts"/> <add namespace="System.Web.UI.HtmlControls"/> </namespaces> </pages>
<authentication mode="Windows"></authentication> <customErrors mode="Off"></customErrors> <authorization> <allow users="XXXWilliam.Klein"/> <deny users="*"/> </authorization></system.web></configuration>
The reason why I want to use the windows login to connect to the database is the application needs to keep track of who did what when entering and updating data but still keep them using there windows login accounts. So using a generic account will not work.
What keeps happening is I keep getting this error: Login failed for user 'NT AUTHORITYANONYMOUS LOGON'. When trying to connect the database. I've tried this on two web servers on another I get something slightly different: Login failed for user 'XXXWeb-Server$'.
Anybody able to give me any suggestions on how to fix this?
View 12 Replies
View Related
Jul 26, 2006
We are in the mist of a SQL project that also includes tighting the locking down of our SQL Servers. We generally remove certain accounts from security such as Built-inAdministrators. On SQL 2000, this is pretty straight forward. However SQL 2005 adds a few new accounts that we must take into account.
Once we load SQL 2005, NT AUTHORITYNETWORK SERVICE, NT AUTHORITYSYSTEM, <servername>SQLServer2005MSFTEUSER$<servername>$<instancename> now appears. Althought they are not in any obvious server roles or has access to any databases. I also noticed these accounts are denied permissions to connect to the database engine althought the login is enabled.
In addition, there are a number of Local Windows groups that were added. There are additional groups added for the purpose of taking advantage of certain SQL Features (full text, intergration service, etc).
The question is what is the harm in removing these accounts from SQL? From Windows? Although we are not using these services now, I installed them when I setup the server. Will removing these services also remove these account?
Thanks
Akinja Richards
View 4 Replies
View Related
Jun 8, 2007
I have 4 new SQL Server 2005 installations on Windows 2003 that I configured at our main office and shipped to a hosting center. All four servers are members of our domain. I set up test datbases with replication on one of the servers and facilitated this with a domain account.
Now that I've moved the servers to the hosting center (which has a DC) and I'm not having any luck adding domain accounts to the permissions section on any of the the SQL Server boxes.
When I try to add a domain account in the SQL Server's permissions window I get "Name Not Found". By every indication the server is connected to the domain. I can log on using my domain account; I can create shares specifying domain accounts but I can't seem to add domain accounts to the SQL server permissions. When I look in the permission's tab I still see the original domain account, I had added back in the main office, stranded by itself in the list of users. We're using mixed authentication by the way.
Why doesn't SQL Server recognize the domain? Where does it get it's list of users? Does the account I'm logging in with just not have the permission to add domain accounts? These diaglogs are slightly different from the normal 'add a user' dialog boxes.
I feel like this must be a simple oversight. Any help would be appreciated. I'd prefer to move away from local accounts to keep things simple.
View 2 Replies
View Related
May 30, 2007
We're getting an error where we can't add a login with the full dns name of a user - domain.xyzuser, for example. Get an error 15401, "Windows NT user or group domain.xyzuser' not found". The domain has a different Netbios name and DNS domain names, so we can add the user when we use the form "netbiosnameuser". So far so good.
Unfortunately, we have another application - Office Share Point Server whose shared services provider won't run, giving errors in the event log every 60 seconds that "Windows NT user or group 'domain.xyzuser' not found".
It looks as if SQL insists upon listing users in the form netbiosdomainnameuser, and applications that look for domain.xyzuser simply fail to authenticate.
Suggestions?
jnfranc at yahoo period com
View 3 Replies
View Related
Jul 23, 2014
Installed sql server 2012 enterprise. Runs with the built in account fine.
I tried entering a domain account to run as the service account from sql configuration it fails with the error "the specified network password is not correct".
I tried from services.msc and entered successfully but when I try to restart it fails that the log in credentials are wrong.
the domain account and password I entered are just fine. What's it I should do or missing?
View 3 Replies
View Related
Apr 16, 2008
Hello all,
I have 2 networked PC's both running vista ultimate
1st is Laptop and is running its own SQL Server at laptoplaptopSQL
2nd is Desktop and is running its own SQL Server at desktopdesktopSQL
Now both machines have seperate windows login accounts.
When I go SQL Server management studio I go to browse and each machine can see the other machines SQL Server, but when I go to login I get SQL Login falied for users" The user is not associaed with a trusted SQL server connection".
So I then go to logins new login and try to add my other pc's user account.
The problem I see is that when I go to search and then location it only shows its own PC's location and not the location of my other networked pc? So if I am on Desktop and in my theory want to add laptopuser to the desktop SQL Server logins I get:
"create failed for login laptopuser
An exception occurred while executing Transact SQL statement laptopuser is not a valid windows NT name. give the complete name
Not sure on where to go from here.
Any help would be great
View 10 Replies
View Related
May 21, 2015
My company doesn't allow using Local Service / Network Service accounts for SQL Server. So I created domain service accounts. Can multiple SQL Server installations use the same domain service accounts ?
View 4 Replies
View Related
Mar 2, 2006
Currently running a SQL 2000 server in 2000 domain and want to migrate it to a new 2003 domain of the same name.
How do I go about it and is there any problems with this plan?
View 1 Replies
View Related
Sep 15, 2000
When creating a login account, it is associated with a default database.
Is it then necessary to grantdbaccess to the default database?
View 1 Replies
View Related
Jun 12, 2007
I have a SQL2005 in a cluster environment, for some reason the only way that user accounts can login to either the database or SSMS is to grant them the SysAdmin role. This access is a little to high for my liking and am wondering if anyone else has come across this before.
Thank you
View 15 Replies
View Related
Dec 21, 2000
Is it possible to rename a SQL Login or User account?
View 1 Replies
View Related
Aug 12, 2015
We are seeing login failures for windows accounts. Below is the error message.
Description: In our env most logins are windows accounts. Initially we thought it is an UAC issue and we tried to launch the SSMS using "Run as Administrator". However, we are seeing login failures.
Enviroment:
Microsoft SQL Server 2014 - 12.0.2402.0 (X64)
RTM Enterprise Edition (HyperVisor)
Error Message in Error Log :
2015-08-10 22:36:45.290 Logon Error: 18456, Severity: 14, State: 11.
2015-08-10 22:36:45.290 Logon Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
2015-08-10 22:41:23.470 Logon Error: 18456, Severity: 14, State: 11.
2015-08-10 22:41:23.470 Logon Login failed for user 'domainloginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 10.xxx.xxx.xxx]
Troubleshooting done:
- Recreated the windows login in sql server. Doesn't work.
- ran sp_valdidatelogins. it doesn't return any rows.
- I belong to sysadmin role and when I say, getting below error message.
xp_logininfo 'domainloginname'
/*
Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
Could not obtain information about Windows NT group/user 'domainloginname', error code 0x5.
*/
We tried dropping this account and re-creating the windows account with same permissions but still result is same.It throws same error message. Login failure message !!!
View 18 Replies
View Related
Feb 29, 2008
Hi Folks SQL2k on NT4 Domain I have a UserDB on SvrA - Access to UserDB is Via a DomainGroup and is assigned db_owner role UserDB Executes a local SP which in turn Executes a remote SP on SvrB via a Linked Server The Linked Server Login Security is via mapping to a remote account which has db_owner on the remote DB. I would like to. a) stop ALL users on SvrA from being able to use this linked serverb) tightly restrict permissions of the remote account to the remote db Is it possible to MAP above local server login to remote server login as the local login is via a domain group. I cannot significantly alter UserDB current Login Security I'm also worried that another system/db is utilizing this Link (legally) but I'm not allowed on the production box to monitor it (Hhrummphh - but unfortunately I have the job of providing scripts to tighten security :rolleyes: - hence the prefference for mapping local to remote users I'm sorry I'm not well versed in SQL Security & this is only a central part of my bigger security job(involving horrible RPC's, dynamic SQL, heteregeounous joins, double hops, delegation etc) Any help appreciated GW
View 11 Replies
View Related
Dec 20, 2000
I have jsut started using SQL server 7 and am having problems with accounts permissions, users,roles, groups, owners etc what are the differences?
View 1 Replies
View Related
May 24, 2015
I am just wondering if i can control the access of range of variables from users' logins.
To be more specific, if i a parameter alpha has five values (1,2,3,4,5) and then i have 3 users A, B C, what i need is:
1. A can access Vaues(1, 3)
2. B can access Values (2, 4)
3. C can access Values(3,5)
Is there anyway i can do this either from the stored procedure i am getting the data or i can do it on SSIS development side?
View 4 Replies
View Related
Sep 6, 2007
Good day ,
Does anyone know how to moe / copy database users from sql server 2000 to sql server 2005. I ave been successful will everything except this in my migration. I can copy the database users themselves but not the users under the security section.
Please help
View 4 Replies
View Related
Mar 29, 2007
Hi all,I'm having a problem restoring backup from 2000 to 2005. The actualrestore process went ok. However, the database user of the restoreddatabase is missing a Login Name. I've made sure that the Login Nameis created in 2005. Also tried deleting the user, but couldn't theuser is db owner. Is there any way that I can assign a Login Name forthis database user or maybe drop this user and assign another one?Regards,Gerd
View 2 Replies
View Related
Jul 20, 2005
I doing some testing with security and ran into the following problem.I want to log into the SQL server (from Query Analyzer) using mydomain account. To allow this, I went into Logins section inEnterprise Manager and added my user account as a Windows User.If I set Analyzer to use Windows authentication I am to log in with noproblems. But if it is set to SQL Server authentication and I type inmy username (in the format domainusername or username@domain) andpassword I get a login error.Is there a way to login in to SQL using domain account without usingwindows authentication?Thanks,Jason
View 2 Replies
View Related
Jul 23, 2015
Do we still need the below service accounts in SQL 2008+ version even if we have proper SQL service accounts added in the logins?
[NT AUTHORITYSYSTEM]
[NT ServiceMSSQLSERVER]
[NT SERVICEReportServer]
[NT SERVICESQLSERVERAGENT]
[NT SERVICESQLWriter]
[NT SERVICEWinmgmt]
View 0 Replies
View Related
Jun 16, 2008
Im developing a ASP.NET website. Recently we were required to move the databse from localhost to another server. I'm able to connect to the other server database from SQL 2005 management studio with windows authentication. However when I try to do it in ASP.NET it says error: login failed for domain/server$. I have declared the connection string in web.config file.
View 7 Replies
View Related
Jun 9, 2000
I have a server that belongs to domain 'a'. The server is neither a PDC or BDC.
This server has SQL Server 7 installed. I wanted security set up so the
Domain Administrator could select/update rows in the database and administer
the database as well as the local administrator of the Sql Server. From a
workstation the domain administrator can create tables but cannot insert rows.
From the Server in question the domain administrator can create tables and
insert rows. Why does it make a different what box the domain adminstator logs on to?
View 1 Replies
View Related
Sep 5, 2007
Hi All,
I would like to rename a login SAMPLE-IT�ean to NEWDOMAIN�ean, but i get this message:
"The name change cannot be performed because the SID of the new name does not match the old SID of the principal."
the command is : alter login [SAMPLE-IT�ean] with name=[NEWDOMAIN�ean]
server is sql2005 std (initial base)
what can i do ( there are lot of db on this instance and there are lot of instance where I have to change the domain of the user...) ... and there are lot of user whom I have to change it...:-(
thnx
Csaba
View 1 Replies
View Related
Sep 26, 2007
For some reason , the report server is trying to login as <domainname><machine name> - its supposed to be <domain><user name> or ASPNET or Network Service Authority - I have no clue why it is pickin gup machine name. Any ideas and how to fix?
View 3 Replies
View Related
Mar 13, 2008
This is a two part question. We are currently using the ODBC method SQLConnect to connect to an existing DSN:
m_retcode = SQLConnect(
m_hDbc,
(SQLTCHAR*)datasource,
(SWORD)_tcslen(datasource),
(SQLTCHAR*)username,
(SWORD)_tcslen(username),
(SQLTCHAR*)password,
(SWORD)_tcslen(password) );
using a SQL user created for that purpose (and yes the password is encrypted elsewhere). I have had a request to be able to use a Windows domain account in the same setting however it does not appear that i can simply enter either "domainusername" or "username" (SQL Server and the login machine are in the same domain.
Is it possible to accomplish this with this function or should I use a different routine to obtain a connection? How would I accomplish this if I instead wanted to use integrated login?
The "client" is running Windows XP, 2000, 2003, or Vista (Business). The database server is running SQL 200 or 2005 on Windows 2003 Server (or possibly Windows 2000 Server).
Hope this description is not too murky.
Cheers,
Lyman Hurd
View 1 Replies
View Related
Apr 4, 2003
Folks,
I have read the posts concerning login failures for the ASPNET user. I have a slightly different problem, as you can see from the title of this post.
My environment is a private domain that has two machines:
1) Windows 2000 server on which SQL Server is running. Let's call it FOO_SERVER.
2) Windows XP Professional on which I am running my IIS and .NET development environment. Let's call it FOO_WORK.
3) Let's call the domain, FOO_DOMAIN.
The user, ASPNET, is not a domain user, but a local user, so I do not know how to establish it as a valid login for SQL Server. But this is beside the point, anyway, as the error I am getting has nothing to do with the ASPNET user. It appears that a different username is being used to access SQL Server.
My connection string is:
"server=FOO_SERVER;database=pubs;Trusted_Connection=yes"
The error I receive is:
"Login failed for user FOO_DOMAINFOO_WORK$"
I am using the default settings in machine.config. Specifically <processModel> userName="machine" password="AutoGenerate" </processModel>
Thanks in advance for any suggestions.
-Joel
View 5 Replies
View Related
May 21, 2007
The title says it all. Given that I have created a login for a domain group, and a database user for that login. What I want to do is retrieving the domain username for the active user. USER_NAME retrieves the database username, suser_name returns (of course) NULL as this is not a sql user.
The goal is to use domain group logins, while still allowing for logging what user performed which action.
View 1 Replies
View Related
Jul 23, 2005
I'm trying to create a login in the default domain. I know I can pullthis information from xp_loginconfig, but don't see how I can use it inthe context of sp_grantlogin.For example, pull the domain the user is currently logged in on andinsert it into the sp_grantlogin script. Has anyone ever done this inthe past?
View 2 Replies
View Related
Nov 2, 2015
I have setup a SQL 2014 server with mixed authentication. Below is sequence.
1. Created a server. Added server to a domain & logged out.
2. RDP to the server using a local account. Installed SQL 2014. Kept the services to run using default NT Authority accounts during initial setup. SQL was installed in mixed mode (SQL & windows authentication). a specific 'sa' pwd was set.
3. After initial setup, I changed all SQL services Logon account to be respective domain accounts. Made sure all services restarted, up & running.
Now, for the same 'sa' SQL login account -
--> if I RDP to the server using local system admin & connect to SQL studio with 'sa' (SQL authentication) - it works.
but --> if I RDP to the server using my domain account (which is already an admin on SQL & windows), but connect SQL studio with the Same 'sa' (SQL authentication) - it fails & gives - unable to login 'sa'... ; standard error code : 18456.
Question : How can be the same 'sa' login, is acting different based on with what user context I RDP to the server ?
View 3 Replies
View Related
May 20, 2008
In an attempt to improve security for our web server/db server setup, we have a SQL Server 2005 server set for Windows authentication only and a web server (both behind a firewall together on a single local domain).
The web server is using IIS7, and the default NetworkService account to run the ASP.NET processes.
I've given the NT AUTHORITYNETWORK SERVICE account access to the database in question.
The SQL authentication fails, but the account failing is NOT the NetworkService account, but the <DOMAIN><COMPUTER>$ account.
Note that if I use identity impersonation with a specific domain account, I can get the app to work. However, I do NOT want to use impersonation, I want the default NetworkService account to work.
Does anyone know why IIS, which is supposed to be using NetworkService, is instead using the <DOMAIN><COMPUTER>$ account to connect to SQL, which is then failing?
JK
View 4 Replies
View Related
