AD Group Access

  • I have an instance (10.0.2841) that is using AD auth for user access in a Dev/QA environment. Access is through a chain of AD groups:

    test_user --> domain\parent_group --> domain\db_group --> DB

    For all domain groups access is working fine. For one db_group access will not work. I have tried eliminating the parent group:

    test_user --> domain\db_group --> DB

    The test user of domain\db_group still cannot access the DB.

    Further, I've performed the following tests:

    - verify that SID between sys.database_principals matches sys.server_principals

    - added another group to this DB that the test user is a member of and access was successful

    test_user --> domain\db_group2 --> DB

    - removed access for the server login to the DB and re-added it

    - granted test_user access directly to the DB. This was successful

    Is anyone aware of another way to test this or have a recommended solution? I have not tried to remove the server login from the instance altogether. My reasoning is that I should be able to identify what the source of the discrepancy is first. This is one step in a large security rollout and I do not want to be on the hook to destroy and recreate all permissions for the db_group should this occur again.

    All of your help is much appreciated!

  • Just trying to get the whole view: What scope and type of group is the group that don't work as intended; and: Is the group in the same domain as the DB server?



    Ole Kristian Velstadbråten Bangås - Virinco - Facebook - Twitter

    Concatenating Row Values in Transact-SQL[/url]

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply