Authentication

Question

Post reply

Authentication

charger

SSChasing Mays

Points: 654
More actions
January 6, 2004 at 10:28 am

#107279

I am a relatively new SQL2K DBA. My question is very basic. If I am using Windows Authentication and a Windows 2000 user or group (under Active Directory) has network access to the SQL2k Server, do I still need to create a login account for the user?
October 1, 2021 at 5:21 am

This was removed by the editor as SPAM

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

Steve Jones - SSC Editor SSC Guru Points: 736150 More actions · Answer 1

No. If the AD group has a login , then the user will have access (unless they are denied).

charger SSChasing Mays Points: 654 More actions · Answer 2

Ok, but then what is their default role? What can they do? I am guessing that if I want to restrict or grant access, I must create a login for them.

Angela But Hall of Fame Points: 3848 More actions · Answer 3

You must define the group under the Security > Logins. Right click and browse to the name of the group you wish to add. Leave Windows authentication checked. You have two tabs Server Roles and Database Roles. Check on each of these tabs and choose which roles you want to assign to the group.

This is a really simple run through of how to allow the users to get a connection to the database. You really, really should read something on security before you do any of this though so you have at least some understanding of how security works in SQL Server. Start with Books Online (SQL Help).

Angela

charger SSChasing Mays Points: 654 More actions · Answer 4

I agree with you Angela and I have been doing some reading and testing. My conclusion is this. I removed my login from one of our servers and I was unable to connect to that server via EM or Access. So I am assuming that even if you have network access to the box, you cannot get at any databases unless you have a login account. Correct me if I am wrong. Thanks.

Angela But Hall of Fame Points: 3848 More actions · Answer 5

What do you mean by "network access". Just because you can ping the actual server does not mean you can connect to a database. You must be granted the rights to connect to a particular database.

From Books Online:

Each user must gain access to an instance of Microsoft® SQL Server™ through a login account that establishes the user's ability to connect (authentication). This login then has to be mapped to a SQL Server user account, which is used to control activities performed in the database (permissions validation). Therefore, a single login is mapped to one user account created in each database the login is accessing. If no user account exists in a database, the user cannot access the database even though the user may be able to connect to an instance of SQL Server.

The login is created in Microsoft Windows NT® 4.0 or Windows® 2000 rather than in SQL Server. This login is then granted permission to connect to an instance of SQL Server. The login is granted access within SQL Server.