Access via User Groups

Question

Access via User Groups

Robert Taylor-202453

SSC Rookie

Points: 33
More actions
March 16, 2005 at 9:52 am

#185501

I have a sql server instance in domain A. If i give access to sql to a user in domain B using the format A\username, everything works fine. If we then give access to a group in the format A\groupname, any user in the group is denied access to sql.
Any help would be appreciated.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply

K. Brian Kelley SSC Guru Points: 114703 More actions · Answer 1

Does domain A trust domain B? A\username works for someone coming in with B\username credentials? Can you verify this with a profiler trace?

K. Brian Kelley
@kbriankelley

Robert Taylor-202453 SSC Rookie Points: 33 More actions · Answer 2

Domain A trusts domain B. A user in domain B can access sql if this specific access is set up in sql but a user in a group in domain B can not access sql even if the group is set up in a sql login.

K. Brian Kelley SSC Guru Points: 114703 More actions · Answer 3

The group shouldn't be a SQL login. It should be a Windows login. Also, it must be a global or universal domain group. Verify the group in question isn't a local domain group. Local domain groups are not accessible outside of the domain.

K. Brian Kelley
@kbriankelley

Robert Taylor-202453 SSC Rookie Points: 33 More actions · Answer 4

Sorry, the group is set up as a login using windows authentication rather than sql authentication. I will check the type of group used but i would of thought that it would not be possible to see a domain b local group from within domain a and sql quite happily acknowledges the group exists.

sa24 SSCrazy Eights Points: 8027 More actions · Answer 5

You can do a nbtstat -a servername and see what domains your server is registered in.

K. Brian Kelley SSC Guru Points: 114703 More actions · Answer 6

It's not what domain the server is registed in that is causing the problem.

Out of curiousity, if you were to assign that group access to another resource in Domain A, say a file share... can someone that is a member of that group access the file share? It may not be a SQL Server issue at all.

K. Brian Kelley
@kbriankelley

Ted Schlepuetz Newbie Points: 7 More actions · Answer 7

We had the same issue here when we were cleaning up the number of logins that we had on SQL server. If you create a local group in USRMGR and then try and give permissions to that group on SQL server it would not work. The group had to be a global group and then we were able to set that group up with a login on SQL server.