Windows Authentication - local groups versus global groups

  • Can anyone explain why it's considered best practice to allocate SQL Server access to local groups as opposed to global (Domain) groups? The opposite is true as far as I'm concerned - it confuses the situation,  leads to duplication between local and Domain groups and introduces a weakness if local admin access is not as tightly controlled as Domain admin access.

    The only advantage I can see is that security is enforced even if the SQL Server cannot connect to a Primary or Backup DC but then it's unlikely anyone could access the SQL Server anyway.

  • I'm sure this goes back to multiple domains in a tree in AD.

    You set up a local domain group and put other domain groups in this, and grant the local domain group SQL rights. It doesn't mean local server groups nesting domain groups.

    See http://windows.about.com/od/administrationforexperts/l/aa010506a.htm

    In fact, just this google search:

    http://www.google.co.uk/search?hl=en&q=local+global+domain+groups&btnG=Google+Search&meta=

    They all mention domain local, not server local...

    Cheers, Shawn

  • Thanks Shawn, I've had a quick look at the article and it sounds plausible. So it's down to my misunderstanding of the difference between   global and local Windows groups - a little knowledge is a dangerous thing as they say.

  • We all say "local group" to mean the server though, not domain group... easily done

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply