June 24, 2010 at 4:11 am
Hi All,
I have a SQL 2008 Enterprize Edition server on a Domain.
I have certain Doamin users that are added to the Local Administrator group on this server. When I try and add a new login and select this group to the server I get the following error: Windows NT user or group not found. Error 15401.
I've checked the syslogins and do not see that group. I can add the individual users but it seems more cleaner just to add the group.
I do not want to add the BUILTIN\Administrators group
Is what I'm attempting allowed or do I have to make a new Group in AD and add in these users to that group and then add that group to the Logins.
Thanks
Denesh Naidoo
July 6, 2010 at 3:39 am
Check if you have problems resolving the name of a computer that is involved in adding the login or group, if yes then you might receive error 15401.
Verify this using name resolution mechanism (such as, WINS, DNS, HOSTS or LMHOSTS) is configured correctly.
"More Green More Oxygen !! Plant a tree today"
July 7, 2010 at 4:54 am
AFAIK when a computer joins a domain, the Domain Admins group is added to the <SERVERNAME>\Administrators group. So when a SQL Server is in a domain, this makes <SERVERNAME>\Administrators equivalent to BUILTIN\Administrators, as granting access to <SERVERNAME>\Administrators would implicitly grant access to all domain admins also.
You would need to create individual logins, or create a new Windows group on the server, with a login for that. HTH
July 7, 2010 at 5:24 am
Denesh Naidoo (6/24/2010)
...I do not want to add the BUILTIN\Administrators group...
What we do is we create a domain group to manage every server, add that group to the local administrators group on the windows box.
Only if needed, we grant that domain group the proper auth for the sqlinstance. (minimal please)
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
July 12, 2010 at 8:36 pm
When you are adding a new login, click search, then click Object Types. Select the box that says Groups and your local group name will resolve.
Dana
July 15, 2010 at 8:49 am
Nice Marmot (7/7/2010)
AFAIK when a computer joins a domain, the Domain Admins group is added to the <SERVERNAME>\Administrators group. So when a SQL Server is in a domain, this makes <SERVERNAME>\Administrators equivalent to BUILTIN\Administrators, as granting access to <SERVERNAME>\Administrators would implicitly grant access to all domain admins also.You would need to create individual logins, or create a new Windows group on the server, with a login for that. HTH
There's no difference here, as they are one and the same. The Administrators group is a pre-defined group on every computer. It can be referred to as Server\Administrators or BUILTIN\Administrators with a few exceptions, SQL Server being a notable one. Because it is a pre-defined group, SQL Server sees it as BUILTIN\Administrators.
One way to clearly see this is to check the SID on the Administrators group before you add it to the domain. Then add it to the domain and check the SID again. You'll see it hasn't changed. That's actually documented here:
Well-known security identifiers in Windows operating systems
K. Brian Kelley
@kbriankelley
July 15, 2010 at 8:53 am
Denesh Naidoo (6/24/2010)
Hi All,I have a SQL 2008 Enterprize Edition server on a Domain.
I have certain Doamin users that are added to the Local Administrator group on this server. When I try and add a new login and select this group to the server I get the following error: Windows NT user or group not found. Error 15401.
I've checked the syslogins and do not see that group. I can add the individual users but it seems more cleaner just to add the group.
I do not want to add the BUILTIN\Administrators group
Is what I'm attempting allowed or do I have to make a new Group in AD and add in these users to that group and then add that group to the Logins.
Thanks
Denesh Naidoo
As I replied to another post, BUILTIN\Administrators and ServerName\Administrators are one and the same group. Just because it's a predefined group, SQL Server only sees the Administrators group through BUILTIN\Administrators. BTW, you'll see this is also the case for BUILTIN\Users and BUILTIN\Power Users, to name two others.
If this group won't work for you, you've got two options, as previously mentioned:
- Create a new group in Active Directory, add the Windows users to this group, and grant this group login rights to SQL Server. [RECOMMENDED]
- Add the Windows users individually. This isn't recommended because when a user leaves the organization, you've got a mess to clean up, or if a user switches roles and you don't know about it... yeah, you get the idea.
K. Brian Kelley
@kbriankelley
July 16, 2010 at 1:40 am
Thanks to all for your replies. It is greatly appreciated
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply