We have a brand new out-of-the-box SQL Server 2005 Workgroup Edition install
.
We are using Windows Authentication, and have created SQL logins for about
40 different groups on our domain. We've given those logins the appropriate
permissions on the databases they're supposed to be able to access.
The problem is that when users try to connect to the SQL server, they cannot
connect. An error 18456 is thrown, and logged in the Application event log
stating "Login failed for user OURDOMAIN\theuser" (example values). The
user is properly a member of group added as a login to SQL Server, and we've
confirmed that there are not conflicting permissions that would deny those
users access via another route.
This is only a problem for domain-based groups. If we create a local group
on the SQL server machine, through Computer Management -> Local Users and
Groups, then make the same users a member of THAT group, and finally then
follow the same process to add that local group to SQL Server Logins and set
the database privileges, it works!!
Our group memberships change frequently, and are used for a lot more than
just SQL server permissions. So, using local groups and maintaining
membership in both places is not really feasible. Any ideas why a local
machine group containing domain user accounts would work fine, but a domain
group containing the same accounts would not?
Thanks in advance.
~JimIs the server that SQL is on joined to the domain?
Jim Kilmer wrote:
> We have a brand new out-of-the-box SQL Server 2005 Workgroup Edition insta
ll.
> We are using Windows Authentication, and have created SQL logins for about
> 40 different groups on our domain. We've given those logins the appropria
te
> permissions on the databases they're supposed to be able to access.
> The problem is that when users try to connect to the SQL server, they cann
ot
> connect. An error 18456 is thrown, and logged in the Application event lo
g
> stating "Login failed for user OURDOMAIN\theuser" (example values). The
> user is properly a member of group added as a login to SQL Server, and we'
ve
> confirmed that there are not conflicting permissions that would deny those
> users access via another route.
> This is only a problem for domain-based groups. If we create a local grou
p
> on the SQL server machine, through Computer Management -> Local Users and
> Groups, then make the same users a member of THAT group, and finally the
n
> follow the same process to add that local group to SQL Server Logins and s
et
> the database privileges, it works!!
> Our group memberships change frequently, and are used for a lot more than
> just SQL server permissions. So, using local groups and maintaining
> membership in both places is not really feasible. Any ideas why a local
> machine group containing domain user accounts would work fine, but a domai
n
> group containing the same accounts would not?
> Thanks in advance.
> ~Jim
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment