Re: Active Directory SQL integration
From: tw-Nashville (twNashville_at_discussions.microsoft.com)
Date: 12/20/04
- Next message: Steve B.: "Re: Passing a variable column name to a stored procedure"
- Previous message: Chris Geier: "Re: IIS, SQL DMZ question"
- In reply to: Steve Thompson: "Re: Active Directory SQL integration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Dec 2004 13:09:05 -0800
Thanks, Steve, for responding to my post. I looked through the KB article
carefully, and followed several links that were listed. Unfortunately, I
don't think any of them will be of great help. Using sp_help_revlogin only
gives back the current name in sysxlogins, which is the old AD account name,
when I want to get the new one. I thought that perhaps if I ran the script,
the old IDs would throw an error and pop out. So I grabbed one that I knew
to be outdated, and ran the sp_grantlogin. It did not throw an error,
presumably because there is already a user in sysxlogins with that name.
So the basic problem remains: 1) identifying the affected users, and 2)
updating their information in sysxlogins to use the new AD account name,
while preserving any objects that are owned by the user.
Thank you,
tw
"Steve Thompson" wrote:
> Have you seen:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;246133
>
> I believe you could use the stored procedure to migrate the "old" AD
> accounts to the new ones. In concept refreshing AD accounts is similar to
> migrating databases between servers.
>
> Steve
>
>
> "tw-Nashville" <twNashville@discussions.microsoft.com> wrote in message
> news:C9CD31C7-83AE-4CE6-814C-0C62ADE6B1DE@microsoft.com...
> > Our infrastructure group is changing all account names in Active
> Directory.
> > For purposes of example in this post, an account named MyDomain\oldAccount
> > would change to MyDomain\newAccount. However, in SQL Server's
> > master..sysxlogins table, the name column continues to contain their old
> AD
> > login (MyDomain\oldAccount). The user, by using MyDomain\newAccount,
> will
> > continue to be able to login to SQL Server, because his/her SID has not
> > changed. If the user has rights to be able to create objects, he/she can
> > create new objects, but they will have the old account
> (MyDomain\oldAccount)
> > name on them in the database.
> >
> > My problem is this. As users come and go, I need to be able to determine
> > whether a SQL Server user is valid. More importantly, we remove any
> objects
> > those old users created, as they are no longer needed. Also, if a user
> > calls with access problems, I need to be able to reliably identify how
> they
> > get to SQL Server.
> >
> > Once the account has been changed, AD will no longer recognize
> > MyDomain\oldAccount, so they look like invalid users if I try to find
> them.
> >
> > So here are the bottom-line questions:
> > 1. How do I use the SID in SQL Server to find an account in AD?
> > 2. How do I change the name on the sysxlogins table and all sysusers
> tables
> > in the various databases to which the user has access?
> >
> > Thank you in advance for your assistance,
> >
> > tw
>
>
>
- Next message: Steve B.: "Re: Passing a variable column name to a stored procedure"
- Previous message: Chris Geier: "Re: IIS, SQL DMZ question"
- In reply to: Steve Thompson: "Re: Active Directory SQL integration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
