March 22, 2016 at 2:53 pm
Hi all,
I'm having trouble to access an instance via a domain group but I can access it when the domain user is added directly in the instance.
I have an instance SQL_A in DOMAIN_A and a domain group in another domain called DOMAIN_B\GROUP_1. The domain user DOMAIN_B\USER_1 is a member of DOMAIN_B\GROUP_1.
I add the DOMAIN_B\GROUP_1 in the SQL_A instance (it means that the trust between DOMAIN_A and DOMAIN_B is working fine!)
When USER_1 try to connect to SQL_A I get this error "Login failed for user 'DOMAIN_B\USER_1'...Error: 18456"
In the error log : "Login failed for user 'DOMAIN_B\USER_1'. Reason: Could not find a login matching the name provided"
I create a login for DOMAIN_B\USER_1 directly in the instance and after that I can login without error!
What is the problem ? The instance can't get the group members ?
Thanks!
March 24, 2016 at 6:19 am
Pete,
I believe you have to make DOMAIN_B\GROUP_1 a Universal group in order to allow its users to login to SQL in another domain with just group permissions.
Hope that helps.
Jon
March 24, 2016 at 11:00 am
SeniorITGuy (3/24/2016)
Pete,I believe you have to make DOMAIN_B\GROUP_1 a Universal group in order to allow its users to login to SQL in another domain with just group permissions.
Hope that helps.
Jon
I'm going to ditto on this because I recently had the same issue when getting a new windows group created in the same domain as our current servers. The help desk didn't make it universal so the users couldn't log in. It wasn't until that got fixed that things worked.
March 24, 2016 at 11:45 am
ok, i'm going through the same issue as well, we have two domains with two way trusts.
the network guys tell me it's not possible to change our existing group to this universal group, but it might just be because they don't know how?
Lowell
March 24, 2016 at 11:51 am
Lowell (3/24/2016)
ok, i'm going through the same issue as well, we have two domains with two way trusts.the network guys tell me it's not possible to change our existing group to this universal group, but it might just be because they don't know how?
There's no reason why they can't recreate the group. If they have to add a letter or number to the end of it, then they can do that and just add all the permissions necessary. Or they can (if you don't have anything currently using the old group) just delete it and recreate it.
I don't know enough about Active Directory to know how our help desk managed to fix it.
March 24, 2016 at 4:06 pm
I've asked to change the scope of the DOMAIN_B\GROUP_1.
According to this article, its supposed to be possible
https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx.
Thanks all 🙂
March 25, 2016 at 4:18 am
Pete Softown (3/24/2016)
I've asked to change the scope of the DOMAIN_B\GROUP_1.According to this article, its supposed to be possible
https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx.
Thanks all 🙂
You're welcome and thank you for adding the article link.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply