August 30, 2005 at 7:25 am
Can anyone explain why it's considered best practice to allocate SQL Server access to local groups as opposed to global (Domain) groups? The opposite is true as far as I'm concerned - it confuses the situation, leads to duplication between local and Domain groups and introduces a weakness if local admin access is not as tightly controlled as Domain admin access.
The only advantage I can see is that security is enforced even if the SQL Server cannot connect to a Primary or Backup DC but then it's unlikely anyone could access the SQL Server anyway.
August 30, 2005 at 8:29 am
I'm sure this goes back to multiple domains in a tree in AD.
You set up a local domain group and put other domain groups in this, and grant the local domain group SQL rights. It doesn't mean local server groups nesting domain groups.
See http://windows.about.com/od/administrationforexperts/l/aa010506a.htm
In fact, just this google search:
http://www.google.co.uk/search?hl=en&q=local+global+domain+groups&btnG=Google+Search&meta=
They all mention domain local, not server local...
Cheers, Shawn
August 30, 2005 at 9:16 am
Thanks Shawn, I've had a quick look at the article and it sounds plausible. So it's down to my misunderstanding of the difference between global and local Windows groups - a little knowledge is a dangerous thing as they say.
August 31, 2005 at 1:38 am
We all say "local group" to mean the server though, not domain group... easily done
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply