Re: Security Model Problems
From: Brian Cidern (bcidern@gillespie.com)
Date: 11/01/02
- Next message: Brian Cidern: "sql behind firewall"
- Previous message: scott: "Linked Server Access Problems"
- In reply to: Steve Thompson: "Re: Security Model Problems"
- Next in thread: Richard Waymire [MS]: "Re: Security Model Problems"
- Reply: Richard Waymire [MS]: "Re: Security Model Problems"
- Reply: Steve Thompson: "Re: Security Model Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brian Cidern" <bcidern@gillespie.com> Date: Fri, 1 Nov 2002 14:18:15 -0800
Steve,
Thanks for the information. However, I'm not completely
sure if that will work. We're a Win2K AD domain. And if I
recall correctly, it's not possible to create Local Server
groups. I could be wrong, but I believe that's what our
NetAdmins told me. "In AD, there are Global Domain and
Local Domain, not Local Server". And of course, they've
gone for the weekend.
Am I mistaken?
Oh, and completely off topic -- regarding
your "noemail.please" address. Are there leechers that
come into the MSNEWS groups to scrape email addresses?
Should I suppress mine when posting?
Thanks-A-Million!
Brian
>-----Original Message-----
>Brian,
>
>If you've installed SQL Server on a member server, then
I'd recommend a
>couple of changes to your process:
>
>Step 3 Create two new local groups on the server hosting
SQL Server (one for
>each of the global groups) and add the appropriate Global
Groups to the
>local groups (on the server)
>
>Step 4 Grant SQL Server login to the Local groups
>
>Step 5 Assign the appropriate SQL Server database
permissions to the local
>groups
>
>Steve
>
>
>
>"Brian Cidern" <bcidern@gillespie.com> wrote in message
>news:8c4d01c281ba$e80188b0$35ef2ecf@TKMSFTNGXA11...
>> Some of the documents I've referenced (from MSDN) for
>> setting up security within SQL Server made the following
>> suggestions:
>>
>> 1. Security Mode: Windows Authentication
>> 2. Create global domain groups and add appropriate
users.
>> 3. Create local domain group and add the appropriate
>> global domain groups.
>> 4. Grant login to the local domain group.
>>
>> Scenario.
>> -- Win2k AD groups --
>> Global Group: APP_read
>> Global Group: APP_write
>> Local Group: SQL_Logins
>>
>> SQL_Logins (members)
>> APP_read
>> APP_write
>>
>> (domain users added to the appropriate Global Domain
>> groups)
>>
>> -- SQL Server --
>> USE master
>> sp_grantlogin 'DOMAIN\SQL_Logins'
>>
>> USE APP_db
>> sp_grantdbaccess 'DOMAIN\APP_read'
>> sp_grantdbaccess 'DOMAIN\APP_write'
>> sp_addrolemember 'db_datareader', 'DOMAIN\APP_read'
>> sp_addrolemember 'db_datawriter', 'DOMAIN\APP_write'
>>
>> ------------
>> Now, when I try to connect one of the users (who has
been
>> made a member of either of the Global Domain groups, I
get
>> a Login Failed while trying to create/configure a User
or
>> File DSN.
>>
>> The only way I've been able to gain access from the
>> clients was to explicitly grant login to the specific
>> Global Domain group.
>>
>> Details:
>> SQL Server 2000
>> Version: 8.00.679
>> Patch Level: SP2+Q316333
>> The NetLib is set to TCP/IP.
>> MDAC 2.62.7400.1 installed on client.
>>
>
>
>.
>
- Next message: Brian Cidern: "sql behind firewall"
- Previous message: scott: "Linked Server Access Problems"
- In reply to: Steve Thompson: "Re: Security Model Problems"
- Next in thread: Richard Waymire [MS]: "Re: Security Model Problems"
- Reply: Richard Waymire [MS]: "Re: Security Model Problems"
- Reply: Steve Thompson: "Re: Security Model Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
