Friday, February 24, 2012

Domain Group Account Won''t Work

Greetings,

I am trying to configure Reporting Services to allow a domain group access to reports. I am able to configure the domain and group (mydomain\grpname) in both Report Manager and BIDS. I'm sure I entered the correct name because I purposely misspelled it and received an error. I think this tells me it is finding the group correctly.

However, when my test user goes to Report Manager, there are no folders displayed. I checked and he is in the domain group I am using. If I explicitly add him (mydomain\andy) to the folders, he can see them and execute the reports.

After searching the forums and other websites, I have checked IIS is using Windows Integrated Security and not anonymous access.

Any ideas?

Rob

Hi Rob,

Have you verified the domain account was granted access to the (root) home folder. To check, open up Report Manager (Web interface) and on the home page click on properties and verify the domain account is listed and that it has at least Browser rights. If you do not see the group listed, then click on New Role Assignment and add the domain group and grant Browser rights.

|||

Yes, the domain group has Browser permissions to the Home folder.

I am concerned that the server itself may not be properly configured to access the domain groups. Would it be fair to say that because using a domain USER works, using a domain GROUP should work as well? Or could there be some other Windows Server 2003 setting that needs to be configured?

Rob

|||

If you are not getting errors when granting rights to the group, then that part should be fine. Windows 2000 and 2003 use Active Directory and Reporting Services is of course Active Directory aware. I believe you are saying that your server is Windows 2003 and that is good. However, are your user accounts using Active Directory or are they possibly members of a legacy Windows NT domain? I have had problems with this in the past and we had to migrate all Windows NT domain accounts to Windows 2003 Active Directory accounts.

|||

UPDATE: It would appear that Active Directory is NOT installed afterall. (I need to stop relying upon other people to answer my questions.)

I'm guessing AD needs to be installed. Correct?

If so, I may have a problem. Being one of those "big corporations" we have an IT department that doesn't really support us having our own servers. I'm going to give it a try. Hopefully I won't be fired.

Rob

|||

Rob,

I would be very careful before installing Active Directory on your database server unless you plan to have a self-contained network of your own. Active Directory does not need to be installed on your server, but your server does need to be registered in your corporate Active Directory schema for it to be recognized by Active Directory and able to grant AD account access to your Reporting Services. Check with your I.T. folks to ensure your server is registered and has this ability. No one wants anyone to get fired.

|||

Chuck,

I'll try to check with IT. They can be a bit stubborn about this stuff and not share any information. I wouldn't be surprised if we are running legacy Windows NT domains considering we only went to Exchange 2003 less than a year ago.

Rob

|||

Also, on your server you can right-click on the My Computer icon and choose properties to see what Domain it shows your sever to be a member of. That information would be useful for both yourself and the I.T. staff.

No comments:

Post a Comment