Best way to completely keep an entire Active Directory group of people out of a SQL Server

Question

Best way to completely keep an entire Active Directory group of people out of a SQL Server

MyDoggieJessie

SSC-Forever

Points: 44486
More actions
April 30, 2013 at 10:52 am

#273390

I'd like to ban an entire group from accessing specific SQL Servers, does anyone know of a solid way to approach this?
______________________________________________________________________________Never argue with an idiot; Theyll drag you down to their level and beat you with experience

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 1

If they're in a Windows security group, you can add the group as a login and deny permission to connect to the SQL Server.

However, this is usually seen as a method of last resort. Someone could always be added to the group that you didn't intend to block.

K. Brian Kelley
@kbriankelley

Perry Whittle SSC Guru Points: 234013 More actions · Answer 2

I use a logon trigger to acheive this, blocking an AD group accessing via certain applications, but the trigger could quite easily just block the group.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" 😉

Steve JP Ten Centuries Points: 1070 More actions · Answer 3

If it is general blocking a set of users then a logon trigger will do the trick.

But if you want to block Server Admins & Developers with Server Admin rights then it gets more tricky as they can always start sql with single user mode and minimal configuration which will prevent the login triggers from running.

kevaburg SSCoach Points: 18131 More actions · Answer 4

K. Brian Kelley (4/30/2013)
If they're in a Windows security group, you can add the group as a login and deny permission to connect to the SQL Server.
However, this is usually seen as a method of last resort. Someone could always be added to the group that you didn't intend to block.

This is the way I would do it.

Alternatively, and to prevent the chance that you block anyone inavertently from accessnig the server, you could create a new AD Security Group and place the members you explicitly don't want on the server in that group. All you need to do then is distribute the group to the required servers and deny connect to that group.