Hi.
I have a table containing two groups and a detail area.My report has multiple pages.I want to draw line after the last record on every page.I think that expression will be written in record's bottom expression area.How can I choose the last record in every page.Or is there another way to do this.Could you help me please?why wont u draw a line on page footer? when u draw a line on page footer it will diplay on the bottom of each page.|||Thanks but it didn't work
I drawed horizontal line across the page footer.
But there is several blank rows between the last record and the line in page footer.And this is never looking good.If you have another idea about this please share with me.
Showing posts with label groups. Show all posts
Showing posts with label groups. Show all posts
Thursday, March 29, 2012
Friday, March 9, 2012
Dont want to use NT Account
Good Day,
I would like to create 3 roles in SQL Server 2000 Reporting Services
but do not have corresponding NT groups.
The sys-admin has asked that I do not create these 3 NT groups to use
in Reporting Services, but to find some other way to create these roles
without corresponding NT groups. The 40 or so Users that would be
assigned to these 3 groups have NT user accounts. Does anyone know if
there is a way I can do this? (i hope that all made sense - clear as
mud)
The Books Online state "you must specify domain groups or users", so
I'm assuming this cannot easily be done. I also saw another post in
this forum that said if you do not use NT users/groups you must
implement some sort of custom authentication. Does anyone have a link
to some documentation on this?
Thanks!
MichelleI think you're mixing role and group, but I think I get the gist of what
you're saying.
You can create the roles in RS independent of any groups/users you have.
If you have multiple users to assign these roles to, you really should
create NT groups for them. Otherwise the managment cost just rises too
much. What is the administrator's justification for not allowing you to
create the desired groups? Can you reuse any existing groups?
-Lukasz
This posting is provided "AS IS" with no warranties, and confers no rights.
<Michelle@.bwalk.com> wrote in message
news:1106774994.929964.6650@.z14g2000cwz.googlegroups.com...
> Good Day,
> I would like to create 3 roles in SQL Server 2000 Reporting Services
> but do not have corresponding NT groups.
> The sys-admin has asked that I do not create these 3 NT groups to use
> in Reporting Services, but to find some other way to create these roles
> without corresponding NT groups. The 40 or so Users that would be
> assigned to these 3 groups have NT user accounts. Does anyone know if
> there is a way I can do this? (i hope that all made sense - clear as
> mud)
> The Books Online state "you must specify domain groups or users", so
> I'm assuming this cannot easily be done. I also saw another post in
> this forum that said if you do not use NT users/groups you must
> implement some sort of custom authentication. Does anyone have a link
> to some documentation on this?
>
> Thanks!
> Michelle
>|||Note that you don't have to create groups in the domain. You can have a
local group that you add domain users or domain groups. Then you assign that
group to a role. Then the admin is out of the loop and everyone is happy.
--
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Lukasz Pawlowski [MSFT]" <lukaszp@.online.microsoft.com> wrote in message
news:OK4btSCBFHA.2584@.TK2MSFTNGP09.phx.gbl...
> I think you're mixing role and group, but I think I get the gist of what
> you're saying.
> You can create the roles in RS independent of any groups/users you have.
> If you have multiple users to assign these roles to, you really should
> create NT groups for them. Otherwise the managment cost just rises too
> much. What is the administrator's justification for not allowing you to
> create the desired groups? Can you reuse any existing groups?
> -Lukasz
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> <Michelle@.bwalk.com> wrote in message
> news:1106774994.929964.6650@.z14g2000cwz.googlegroups.com...
> > Good Day,
> >
> > I would like to create 3 roles in SQL Server 2000 Reporting Services
> > but do not have corresponding NT groups.
> >
> > The sys-admin has asked that I do not create these 3 NT groups to use
> > in Reporting Services, but to find some other way to create these roles
> > without corresponding NT groups. The 40 or so Users that would be
> > assigned to these 3 groups have NT user accounts. Does anyone know if
> > there is a way I can do this? (i hope that all made sense - clear as
> > mud)
> >
> > The Books Online state "you must specify domain groups or users", so
> > I'm assuming this cannot easily be done. I also saw another post in
> > this forum that said if you do not use NT users/groups you must
> > implement some sort of custom authentication. Does anyone have a link
> > to some documentation on this?
> >
> >
> > Thanks!
> > Michelle
> >
>|||Hi guys,
My sys admin believes that creating these 3 NT groups will make make
the active directory tough to manage. I think that if these 3 whole
groups will set the managablilty over the top then perhaps they've got
other issues, but I'm no sys admin and I'm not privy to how they have
been setting up the NT user accounts and groups.
Would you happen to have instructions or documentation on how I add
roles in RS without referencing corresponding NT groups? All of the
documentation I have found only deals with NT accounts, and when I gave
it a try an error was thrown because an account wasn't found. What I
would like to do is create my own role in RS that I can add the
existing NT User accounts to.
Thanks again!
Michelle|||> My sys admin believes that creating these 3 NT groups will make make
> the active directory tough to manage.
Your admin likely doesn't want to handle the requests to add/'remove people
from the group. Can you think of creative solutions to this problem? Can
s/he assign you the permission to add/remove users from these groups?
> Would you happen to have instructions or documentation on how I add
> roles in RS without referencing corresponding NT groups? All of the
> documentation I have found only deals with NT accounts, and when I gave
> it a try an error was thrown because an account wasn't found. What I
> would like to do is create my own role in RS that I can add the
> existing NT User accounts to.
In RS a role has a particular meaning - it is a set of tasks you can assign
to a user or group on a particular item/scope. RS itself does not have a
groups mechanism. Natively we use the windows groups functionality. If
local machine groups do not suffice for you, you'll need to convince your
admin.
-Lukasz
This posting is provided "AS IS" with no warranties, and confers no rights.
<Michelle@.bwalk.com> wrote in message
news:1106838254.192842.124560@.z14g2000cwz.googlegroups.com...
> Hi guys,
> My sys admin believes that creating these 3 NT groups will make make
> the active directory tough to manage. I think that if these 3 whole
> groups will set the managablilty over the top then perhaps they've got
> other issues, but I'm no sys admin and I'm not privy to how they have
> been setting up the NT user accounts and groups.
> Would you happen to have instructions or documentation on how I add
> roles in RS without referencing corresponding NT groups? All of the
> documentation I have found only deals with NT accounts, and when I gave
> it a try an error was thrown because an account wasn't found. What I
> would like to do is create my own role in RS that I can add the
> existing NT User accounts to.
>
> Thanks again!
> Michelle
>
I would like to create 3 roles in SQL Server 2000 Reporting Services
but do not have corresponding NT groups.
The sys-admin has asked that I do not create these 3 NT groups to use
in Reporting Services, but to find some other way to create these roles
without corresponding NT groups. The 40 or so Users that would be
assigned to these 3 groups have NT user accounts. Does anyone know if
there is a way I can do this? (i hope that all made sense - clear as
mud)
The Books Online state "you must specify domain groups or users", so
I'm assuming this cannot easily be done. I also saw another post in
this forum that said if you do not use NT users/groups you must
implement some sort of custom authentication. Does anyone have a link
to some documentation on this?
Thanks!
MichelleI think you're mixing role and group, but I think I get the gist of what
you're saying.
You can create the roles in RS independent of any groups/users you have.
If you have multiple users to assign these roles to, you really should
create NT groups for them. Otherwise the managment cost just rises too
much. What is the administrator's justification for not allowing you to
create the desired groups? Can you reuse any existing groups?
-Lukasz
This posting is provided "AS IS" with no warranties, and confers no rights.
<Michelle@.bwalk.com> wrote in message
news:1106774994.929964.6650@.z14g2000cwz.googlegroups.com...
> Good Day,
> I would like to create 3 roles in SQL Server 2000 Reporting Services
> but do not have corresponding NT groups.
> The sys-admin has asked that I do not create these 3 NT groups to use
> in Reporting Services, but to find some other way to create these roles
> without corresponding NT groups. The 40 or so Users that would be
> assigned to these 3 groups have NT user accounts. Does anyone know if
> there is a way I can do this? (i hope that all made sense - clear as
> mud)
> The Books Online state "you must specify domain groups or users", so
> I'm assuming this cannot easily be done. I also saw another post in
> this forum that said if you do not use NT users/groups you must
> implement some sort of custom authentication. Does anyone have a link
> to some documentation on this?
>
> Thanks!
> Michelle
>|||Note that you don't have to create groups in the domain. You can have a
local group that you add domain users or domain groups. Then you assign that
group to a role. Then the admin is out of the loop and everyone is happy.
--
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Lukasz Pawlowski [MSFT]" <lukaszp@.online.microsoft.com> wrote in message
news:OK4btSCBFHA.2584@.TK2MSFTNGP09.phx.gbl...
> I think you're mixing role and group, but I think I get the gist of what
> you're saying.
> You can create the roles in RS independent of any groups/users you have.
> If you have multiple users to assign these roles to, you really should
> create NT groups for them. Otherwise the managment cost just rises too
> much. What is the administrator's justification for not allowing you to
> create the desired groups? Can you reuse any existing groups?
> -Lukasz
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> <Michelle@.bwalk.com> wrote in message
> news:1106774994.929964.6650@.z14g2000cwz.googlegroups.com...
> > Good Day,
> >
> > I would like to create 3 roles in SQL Server 2000 Reporting Services
> > but do not have corresponding NT groups.
> >
> > The sys-admin has asked that I do not create these 3 NT groups to use
> > in Reporting Services, but to find some other way to create these roles
> > without corresponding NT groups. The 40 or so Users that would be
> > assigned to these 3 groups have NT user accounts. Does anyone know if
> > there is a way I can do this? (i hope that all made sense - clear as
> > mud)
> >
> > The Books Online state "you must specify domain groups or users", so
> > I'm assuming this cannot easily be done. I also saw another post in
> > this forum that said if you do not use NT users/groups you must
> > implement some sort of custom authentication. Does anyone have a link
> > to some documentation on this?
> >
> >
> > Thanks!
> > Michelle
> >
>|||Hi guys,
My sys admin believes that creating these 3 NT groups will make make
the active directory tough to manage. I think that if these 3 whole
groups will set the managablilty over the top then perhaps they've got
other issues, but I'm no sys admin and I'm not privy to how they have
been setting up the NT user accounts and groups.
Would you happen to have instructions or documentation on how I add
roles in RS without referencing corresponding NT groups? All of the
documentation I have found only deals with NT accounts, and when I gave
it a try an error was thrown because an account wasn't found. What I
would like to do is create my own role in RS that I can add the
existing NT User accounts to.
Thanks again!
Michelle|||> My sys admin believes that creating these 3 NT groups will make make
> the active directory tough to manage.
Your admin likely doesn't want to handle the requests to add/'remove people
from the group. Can you think of creative solutions to this problem? Can
s/he assign you the permission to add/remove users from these groups?
> Would you happen to have instructions or documentation on how I add
> roles in RS without referencing corresponding NT groups? All of the
> documentation I have found only deals with NT accounts, and when I gave
> it a try an error was thrown because an account wasn't found. What I
> would like to do is create my own role in RS that I can add the
> existing NT User accounts to.
In RS a role has a particular meaning - it is a set of tasks you can assign
to a user or group on a particular item/scope. RS itself does not have a
groups mechanism. Natively we use the windows groups functionality. If
local machine groups do not suffice for you, you'll need to convince your
admin.
-Lukasz
This posting is provided "AS IS" with no warranties, and confers no rights.
<Michelle@.bwalk.com> wrote in message
news:1106838254.192842.124560@.z14g2000cwz.googlegroups.com...
> Hi guys,
> My sys admin believes that creating these 3 NT groups will make make
> the active directory tough to manage. I think that if these 3 whole
> groups will set the managablilty over the top then perhaps they've got
> other issues, but I'm no sys admin and I'm not privy to how they have
> been setting up the NT user accounts and groups.
> Would you happen to have instructions or documentation on how I add
> roles in RS without referencing corresponding NT groups? All of the
> documentation I have found only deals with NT accounts, and when I gave
> it a try an error was thrown because an account wasn't found. What I
> would like to do is create my own role in RS that I can add the
> existing NT User accounts to.
>
> Thanks again!
> Michelle
>
Sunday, February 26, 2012
Domain User Groups
Hi
Im currently working on a intranet and trying to set up some security. The intranet acesses a SQL server 2000 database. I would like to know if there is a stored procedure(or other way) of returning all the domain groups that a user belongs to when passed the users NT login. I found xp_enumgroups which returns all the groups on the domain and also xp_logininfo which returns the users of a passed domain group. These are usful but i need to just pass the NT username and return all the Domain Groups. Any thoughts, ideas would be great!
CheersI don't know of any way to do this using Microsoft supplied code in SQL Server. The code could certainly be written, but I think it is much easier to do at the client side than on the server.
-PatP
Im currently working on a intranet and trying to set up some security. The intranet acesses a SQL server 2000 database. I would like to know if there is a stored procedure(or other way) of returning all the domain groups that a user belongs to when passed the users NT login. I found xp_enumgroups which returns all the groups on the domain and also xp_logininfo which returns the users of a passed domain group. These are usful but i need to just pass the NT username and return all the Domain Groups. Any thoughts, ideas would be great!
CheersI don't know of any way to do this using Microsoft supplied code in SQL Server. The code could certainly be written, but I think it is much easier to do at the client side than on the server.
-PatP
domain user belonging to multiple windows group
If I have a domain user DOMAIN\user1 who belongs to multiple window groups say DOMAIN\LookupConfigUsers and DOMAIN\AuditConfigUsers. In sqlserver, I would create two logins - DOMAIN\LookupConfigUsers and DOMAIN\AuditConfigUsers and matching users in the database. Then I grant LookupConfig role to the LookupConfigUsers user and AuditConfig role to the AuditConfigUsers user in the database. When DOMAIN\user1 logs in, will it have both roles? I try to set this up but it does not seem to work. The domain user only picks up one of the role. Am I on the right track? If not, what is the proper way to grant multiple roles to a user when it belongs to multiple groups and each group has different privileges in the database.
Based on the scenario you described, DOMAIN\user should be a member of both roles ( LookupConfig role & AuditConfig role). You can use the following script to take a look to the login and user token on the current connection:
SELECT name, type, usage FROM sys.login_token ORDER BY type, name
SELECT name, type, usage FROM sys.user_token ORDER BY type, name
go
In the login token you should be able to look at all the server and Windows groups that are part of the token, while on the user token view you should be able to see the database roles and Windows roles that are part of the context.
The usage column will tell you how each row is used, typically it should be “GRANT OR DENY”, which means that row is being used to evaluate for both granted and denied permissions, while a “DENY ONLY” value means that only denied permissions will be honored.
Please let us know the results of this query. If you see both roles, my guess would be that either LookupConfig or AuditConfgi role has an explicit denied permission that is affecting the permission check.
Thanks a lot,
-Raul Garcia
SDE/T
SQL Server Engine
|||
It works now. It's actually my fault. I had one group defined initially and later when I add the other group, I simply disconnect and reconnect from the Management Studio. It did not pick up the new group. Today, I tried closing the Management Studio and reopen it, and it picks up both groups and roles. Your sql statements above showed me exactly what I expected - domin\user belongs to both LookConfig and AuditConfig Role.
However, I don't understand why it also belongs to the public role?
Also, the login_token output names like -
NT AUTHORITY\Authenticated Users, NT AUTHORITY\INTERACTIVE, NT AUTHORITY\NTLM Authentication, domain\None, \Everyone, etc...
What are these groups?
I am new to sqlserver and windows authentication. Any help would be much appreciated.
|||No problem, we are happy to help.The public role is a role that everyone in the system belongs to, think of the public as “Everyone”. If you grant any permission to public, everyone will get it. This behavior is automatic and cannot be changed.
Regarding the other Windows groups in the login token. To generate the SQL Server login token we take the token from the Windows client connection and get every group from it. You can double check it in Windows using the whoami tool (i.e. whoami /groups).
I hope this information helps. Let us know if you have any further question, we will be glad to help.
Thanks a lot,
-Raul Garcia
SDE/T
SQL Server Engine
Domain Security Groups unable to Browse Report Folders
I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created a
domain security group and added a user to it. I then went into the security
tab of reporting services Home and added the group with the role of Browser.
I then added the same group to a child folder in the same manor. The user
can NOT see any folders or objects to browse and doesn't get the My Reports
folder showing either. If I add one of the builting groups (ssuch as
builtin\users) to the Home folder, all users can see and browse that folder.
The only references I have found say that domain groups should automatically
be enabled when RS is installed. I have had this problem from the beginning.
I even tried adding the user to a local group and adding the local group to
the Home folder and had no luck. If I add the same user explecitly to the
Home and sub-folders, everything works fine.
Does anyone have any idea what might be wrong in my configuration?
I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
attached to a 2003 domain and he has the exact same problem.
This is very frustrating because it is a maintenance nightmare for the site
security.
I did check and the Default Web Site and the Reports and the Report Server
site are set to Windows Authentication and not to allow anonymous access.
Any help will be greatly appreciated.Are you specifying the domain name before the group name? Like
MYDOMAIN\MYGROUPNAME.
"qIjDraco" wrote:
> I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created a
> domain security group and added a user to it. I then went into the security
> tab of reporting services Home and added the group with the role of Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that folder.
> The only references I have found say that domain groups should automatically
> be enabled when RS is installed. I have had this problem from the beginning.
> I even tried adding the user to a local group and adding the local group to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||What I do is have a local group that I add domain groups and individual
domain users. I have never had to do anything other than add them to the
proper role. It is possible to force a subdirectory from inheriting from the
above directory. Perhaps you have done this?
--
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"qIjDraco" <qIjDraco@.discussions.microsoft.com> wrote in message
news:42C60E14-438A-4D5A-AFB4-698D2DD736A3@.microsoft.com...
>I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created
>a
> domain security group and added a user to it. I then went into the
> security
> tab of reporting services Home and added the group with the role of
> Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My
> Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that
> folder.
> The only references I have found say that domain groups should
> automatically
> be enabled when RS is installed. I have had this problem from the
> beginning.
> I even tried adding the user to a local group and adding the local group
> to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the
> site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||I tryied using a local group and tried adding my domain users and had no luck
there too.
Is there any special user id / previledges you are running your SQL and RS
services under?
Mine are as follows:
SQL Server: Local System
SQL Server Active Directory Helper: Network Service
SQL Server Agent: Local System
SQL Server Analysis Services: {domain account setup for SQL}
SQL Server Browser: {domain account setup for SQL}
SQL Server FullText Search: Local System
SQL Server Integration Services: Network Service
SQL Server Reporting Services: {domain account setup for SQL}
SQL Server VSS Writer: Local System
qIjDraco
"Bruce L-C [MVP]" wrote:
> What I do is have a local group that I add domain groups and individual
> domain users. I have never had to do anything other than add them to the
> proper role. It is possible to force a subdirectory from inheriting from the
> above directory. Perhaps you have done this?
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services|||Yes, I did specify the domain name before the group name. That is why I am
so confused.
qIjDraco
"SteveIrwin" wrote:
> Are you specifying the domain name before the group name? Like
> MYDOMAIN\MYGROUPNAME.
>|||Did you find the solution because I have the same problem.
Thanks--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> I tryied using a local group and tried adding my domain users and had no luck
> there too.
> Is there any special user id / previledges you are running your SQL and RS
> services under?
> Mine are as follows:
> SQL Server: Local System
> SQL Server Active Directory Helper: Network Service
> SQL Server Agent: Local System
> SQL Server Analysis Services: {domain account setup for SQL}
> SQL Server Browser: {domain account setup for SQL}
> SQL Server FullText Search: Local System
> SQL Server Integration Services: Network Service
> SQL Server Reporting Services: {domain account setup for SQL}
> SQL Server VSS Writer: Local System
> qIjDraco
> "Bruce L-C [MVP]" wrote:
> > What I do is have a local group that I add domain groups and individual
> > domain users. I have never had to do anything other than add them to the
> > proper role. It is possible to force a subdirectory from inheriting from the
> > above directory. Perhaps you have done this?
> >
> > --
> > Bruce Loehle-Conger
> > MVP SQL Server Reporting Services
>|||Did you find the solution because I have the same problem and I do not know
what should I do in oder to fix that.
I'm thinking maybe the RS does not work online with the Active Directory and
once it copy the group it never do it again but I'm not sure
Please anyhelp
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created a
> domain security group and added a user to it. I then went into the security
> tab of reporting services Home and added the group with the role of Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that folder.
> The only references I have found say that domain groups should automatically
> be enabled when RS is installed. I have had this problem from the beginning.
> I even tried adding the user to a local group and adding the local group to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||Unfortunately I haven't found the solution yet. I tried chaning the ID
reporting services and SQL were running under, but no change in behavior.
qIjDraco
"Nelson Vega" wrote:
> Did you find the solution because I have the same problem and I do not know
> what should I do in oder to fix that.|||Did you contact microsoft ?
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> Unfortunately I haven't found the solution yet. I tried chaning the ID
> reporting services and SQL were running under, but no change in behavior.
> qIjDraco
> "Nelson Vega" wrote:
> > Did you find the solution because I have the same problem and I do not know
> > what should I do in oder to fix that.
>|||Did you contact Microsoft about the problem?
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> Unfortunately I haven't found the solution yet. I tried chaning the ID
> reporting services and SQL were running under, but no change in behavior.
> qIjDraco
> "Nelson Vega" wrote:
> > Did you find the solution because I have the same problem and I do not know
> > what should I do in oder to fix that.
>|||I finally got past this problem. I changed my services to running as shown
below. Now I create a domain security group and add the appropriate users to
it. Then I create a local group on the SQL machine and add the domain group
as the only member of the local group. I then give the local group the
appropriate permission to each folder on the web site (browser, content
manager, admin, etc.). RS properly checks and shows the folders it should to
each user.
Services run as "Network Service":
SQL Server Active Directory Helper
SQL Server Integration Services
Services run as "Local System":
SQL Server FullText Search
SQL Server VSS Writer
Services run as a domain admin ID that I created just for the SQL services:
SQL Server
SQL Server Agent
SQL Server Analysis Services
SQL Server Browser
SQL Server Reporting Services
I think my problem was that some of the services initially installed with
the wrong type of "Log On As" user. Everything seems to be working just fine
for me now.
qIj Draco
--
"Nelson Vega" wrote:
> Did you find the solution because I have the same problem.|||I tried to implement the solutions listed in this thread to no avail.
I have been trying to get my Domain Security Groups to work with SRS for
over a week. The only thing that seems to work is adding the domain user to
the root (home) folder and managing sub-folders with groups. This is a huge
pain when you have 100's of users.
One interesting observation is when I add a test user to our domain and then
add them to the ReportingGroup on our domain, this test-user is allowed to
access what I set forth with groups, without adding them specifically to
reporting services as an individual user. Could some attribute in Active
Directory, that we place on regular users, be blocking the SRS server from
utilizing these regaulr domain users?
I am not an AD expert, nor am I really a network admin, I am just trying to
use tools defined by Microsoft to manage a Microsoft product. This is a
critical issue for us, do you think that if I burn a support ticket they
would be able to resolve this issue? It seems I am not the only one with this
problem!
"Bruce L-C [MVP]" wrote:
> What I do is have a local group that I add domain groups and individual
> domain users. I have never had to do anything other than add them to the
> proper role. It is possible to force a subdirectory from inheriting from the
> above directory. Perhaps you have done this?
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>
> "qIjDraco" <qIjDraco@.discussions.microsoft.com> wrote in message
> news:42C60E14-438A-4D5A-AFB4-698D2DD736A3@.microsoft.com...
> >I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created
> >a
> > domain security group and added a user to it. I then went into the
> > security
> > tab of reporting services Home and added the group with the role of
> > Browser.
> > I then added the same group to a child folder in the same manor. The user
> > can NOT see any folders or objects to browse and doesn't get the My
> > Reports
> > folder showing either. If I add one of the builting groups (ssuch as
> > builtin\users) to the Home folder, all users can see and browse that
> > folder.
> >
> > The only references I have found say that domain groups should
> > automatically
> > be enabled when RS is installed. I have had this problem from the
> > beginning.
> > I even tried adding the user to a local group and adding the local group
> > to
> > the Home folder and had no luck. If I add the same user explecitly to the
> > Home and sub-folders, everything works fine.
> >
> > Does anyone have any idea what might be wrong in my configuration?
> >
> > I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> > attached to a 2003 domain and he has the exact same problem.
> >
> > This is very frustrating because it is a maintenance nightmare for the
> > site
> > security.
> >
> > I did check and the Default Web Site and the Reports and the Report Server
> > site are set to Windows Authentication and not to allow anonymous access.
> >
> > Any help will be greatly appreciated.
> >
>
>
domain security group and added a user to it. I then went into the security
tab of reporting services Home and added the group with the role of Browser.
I then added the same group to a child folder in the same manor. The user
can NOT see any folders or objects to browse and doesn't get the My Reports
folder showing either. If I add one of the builting groups (ssuch as
builtin\users) to the Home folder, all users can see and browse that folder.
The only references I have found say that domain groups should automatically
be enabled when RS is installed. I have had this problem from the beginning.
I even tried adding the user to a local group and adding the local group to
the Home folder and had no luck. If I add the same user explecitly to the
Home and sub-folders, everything works fine.
Does anyone have any idea what might be wrong in my configuration?
I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
attached to a 2003 domain and he has the exact same problem.
This is very frustrating because it is a maintenance nightmare for the site
security.
I did check and the Default Web Site and the Reports and the Report Server
site are set to Windows Authentication and not to allow anonymous access.
Any help will be greatly appreciated.Are you specifying the domain name before the group name? Like
MYDOMAIN\MYGROUPNAME.
"qIjDraco" wrote:
> I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created a
> domain security group and added a user to it. I then went into the security
> tab of reporting services Home and added the group with the role of Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that folder.
> The only references I have found say that domain groups should automatically
> be enabled when RS is installed. I have had this problem from the beginning.
> I even tried adding the user to a local group and adding the local group to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||What I do is have a local group that I add domain groups and individual
domain users. I have never had to do anything other than add them to the
proper role. It is possible to force a subdirectory from inheriting from the
above directory. Perhaps you have done this?
--
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"qIjDraco" <qIjDraco@.discussions.microsoft.com> wrote in message
news:42C60E14-438A-4D5A-AFB4-698D2DD736A3@.microsoft.com...
>I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created
>a
> domain security group and added a user to it. I then went into the
> security
> tab of reporting services Home and added the group with the role of
> Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My
> Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that
> folder.
> The only references I have found say that domain groups should
> automatically
> be enabled when RS is installed. I have had this problem from the
> beginning.
> I even tried adding the user to a local group and adding the local group
> to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the
> site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||I tryied using a local group and tried adding my domain users and had no luck
there too.
Is there any special user id / previledges you are running your SQL and RS
services under?
Mine are as follows:
SQL Server: Local System
SQL Server Active Directory Helper: Network Service
SQL Server Agent: Local System
SQL Server Analysis Services: {domain account setup for SQL}
SQL Server Browser: {domain account setup for SQL}
SQL Server FullText Search: Local System
SQL Server Integration Services: Network Service
SQL Server Reporting Services: {domain account setup for SQL}
SQL Server VSS Writer: Local System
qIjDraco
"Bruce L-C [MVP]" wrote:
> What I do is have a local group that I add domain groups and individual
> domain users. I have never had to do anything other than add them to the
> proper role. It is possible to force a subdirectory from inheriting from the
> above directory. Perhaps you have done this?
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services|||Yes, I did specify the domain name before the group name. That is why I am
so confused.
qIjDraco
"SteveIrwin" wrote:
> Are you specifying the domain name before the group name? Like
> MYDOMAIN\MYGROUPNAME.
>|||Did you find the solution because I have the same problem.
Thanks--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> I tryied using a local group and tried adding my domain users and had no luck
> there too.
> Is there any special user id / previledges you are running your SQL and RS
> services under?
> Mine are as follows:
> SQL Server: Local System
> SQL Server Active Directory Helper: Network Service
> SQL Server Agent: Local System
> SQL Server Analysis Services: {domain account setup for SQL}
> SQL Server Browser: {domain account setup for SQL}
> SQL Server FullText Search: Local System
> SQL Server Integration Services: Network Service
> SQL Server Reporting Services: {domain account setup for SQL}
> SQL Server VSS Writer: Local System
> qIjDraco
> "Bruce L-C [MVP]" wrote:
> > What I do is have a local group that I add domain groups and individual
> > domain users. I have never had to do anything other than add them to the
> > proper role. It is possible to force a subdirectory from inheriting from the
> > above directory. Perhaps you have done this?
> >
> > --
> > Bruce Loehle-Conger
> > MVP SQL Server Reporting Services
>|||Did you find the solution because I have the same problem and I do not know
what should I do in oder to fix that.
I'm thinking maybe the RS does not work online with the Active Directory and
once it copy the group it never do it again but I'm not sure
Please anyhelp
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created a
> domain security group and added a user to it. I then went into the security
> tab of reporting services Home and added the group with the role of Browser.
> I then added the same group to a child folder in the same manor. The user
> can NOT see any folders or objects to browse and doesn't get the My Reports
> folder showing either. If I add one of the builting groups (ssuch as
> builtin\users) to the Home folder, all users can see and browse that folder.
> The only references I have found say that domain groups should automatically
> be enabled when RS is installed. I have had this problem from the beginning.
> I even tried adding the user to a local group and adding the local group to
> the Home folder and had no luck. If I add the same user explecitly to the
> Home and sub-folders, everything works fine.
> Does anyone have any idea what might be wrong in my configuration?
> I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> attached to a 2003 domain and he has the exact same problem.
> This is very frustrating because it is a maintenance nightmare for the site
> security.
> I did check and the Default Web Site and the Reports and the Report Server
> site are set to Windows Authentication and not to allow anonymous access.
> Any help will be greatly appreciated.
>|||Unfortunately I haven't found the solution yet. I tried chaning the ID
reporting services and SQL were running under, but no change in behavior.
qIjDraco
"Nelson Vega" wrote:
> Did you find the solution because I have the same problem and I do not know
> what should I do in oder to fix that.|||Did you contact microsoft ?
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> Unfortunately I haven't found the solution yet. I tried chaning the ID
> reporting services and SQL were running under, but no change in behavior.
> qIjDraco
> "Nelson Vega" wrote:
> > Did you find the solution because I have the same problem and I do not know
> > what should I do in oder to fix that.
>|||Did you contact Microsoft about the problem?
--
Nelson Vega Marrero
Las Vegas Nevada
Tech Result
"qIjDraco" wrote:
> Unfortunately I haven't found the solution yet. I tried chaning the ID
> reporting services and SQL were running under, but no change in behavior.
> qIjDraco
> "Nelson Vega" wrote:
> > Did you find the solution because I have the same problem and I do not know
> > what should I do in oder to fix that.
>|||I finally got past this problem. I changed my services to running as shown
below. Now I create a domain security group and add the appropriate users to
it. Then I create a local group on the SQL machine and add the domain group
as the only member of the local group. I then give the local group the
appropriate permission to each folder on the web site (browser, content
manager, admin, etc.). RS properly checks and shows the folders it should to
each user.
Services run as "Network Service":
SQL Server Active Directory Helper
SQL Server Integration Services
Services run as "Local System":
SQL Server FullText Search
SQL Server VSS Writer
Services run as a domain admin ID that I created just for the SQL services:
SQL Server
SQL Server Agent
SQL Server Analysis Services
SQL Server Browser
SQL Server Reporting Services
I think my problem was that some of the services initially installed with
the wrong type of "Log On As" user. Everything seems to be working just fine
for me now.
qIj Draco
--
"Nelson Vega" wrote:
> Did you find the solution because I have the same problem.|||I tried to implement the solutions listed in this thread to no avail.
I have been trying to get my Domain Security Groups to work with SRS for
over a week. The only thing that seems to work is adding the domain user to
the root (home) folder and managing sub-folders with groups. This is a huge
pain when you have 100's of users.
One interesting observation is when I add a test user to our domain and then
add them to the ReportingGroup on our domain, this test-user is allowed to
access what I set forth with groups, without adding them specifically to
reporting services as an individual user. Could some attribute in Active
Directory, that we place on regular users, be blocking the SRS server from
utilizing these regaulr domain users?
I am not an AD expert, nor am I really a network admin, I am just trying to
use tools defined by Microsoft to manage a Microsoft product. This is a
critical issue for us, do you think that if I burn a support ticket they
would be able to resolve this issue? It seems I am not the only one with this
problem!
"Bruce L-C [MVP]" wrote:
> What I do is have a local group that I add domain groups and individual
> domain users. I have never had to do anything other than add them to the
> proper role. It is possible to force a subdirectory from inheriting from the
> above directory. Perhaps you have done this?
> --
> Bruce Loehle-Conger
> MVP SQL Server Reporting Services
>
> "qIjDraco" <qIjDraco@.discussions.microsoft.com> wrote in message
> news:42C60E14-438A-4D5A-AFB4-698D2DD736A3@.microsoft.com...
> >I am user SQL/RS 2005 on a 2003 Server on a 2000 domain and I have created
> >a
> > domain security group and added a user to it. I then went into the
> > security
> > tab of reporting services Home and added the group with the role of
> > Browser.
> > I then added the same group to a child folder in the same manor. The user
> > can NOT see any folders or objects to browse and doesn't get the My
> > Reports
> > folder showing either. If I add one of the builting groups (ssuch as
> > builtin\users) to the Home folder, all users can see and browse that
> > folder.
> >
> > The only references I have found say that domain groups should
> > automatically
> > be enabled when RS is installed. I have had this problem from the
> > beginning.
> > I even tried adding the user to a local group and adding the local group
> > to
> > the Home folder and had no luck. If I add the same user explecitly to the
> > Home and sub-folders, everything works fine.
> >
> > Does anyone have any idea what might be wrong in my configuration?
> >
> > I tallked to a colleague who has SAL/RS Dev Edition on an XP machine
> > attached to a 2003 domain and he has the exact same problem.
> >
> > This is very frustrating because it is a maintenance nightmare for the
> > site
> > security.
> >
> > I did check and the Default Web Site and the Reports and the Report Server
> > site are set to Windows Authentication and not to allow anonymous access.
> >
> > Any help will be greatly appreciated.
> >
>
>
Friday, February 24, 2012
Domain groups in SQL Clustering...
Hi there,
My customer is currently setting up a two node cluster. Since they are
planning to use the same domain account to start all services, they are
wondering if it’s OK to use only one domain group during setup.
If they are using just one service account, are there any specific reasons
to use three different domain groups for a SQL Cluster setup?
Is there any documentation available that analyzes this subject in SQL
Clustering I can refer them to?
Thanks!
Camilo
I think I found the article I was looking for.
Thanks anyway!
Camilo
"Camilo" wrote:
> Hi there,
> My customer is currently setting up a two node cluster. Since they are
> planning to use the same domain account to start all services, they are
> wondering if it’s OK to use only one domain group during setup.
> If they are using just one service account, are there any specific reasons
> to use three different domain groups for a SQL Cluster setup?
> Is there any documentation available that analyzes this subject in SQL
> Clustering I can refer them to?
> Thanks!
> Camilo
>
My customer is currently setting up a two node cluster. Since they are
planning to use the same domain account to start all services, they are
wondering if it’s OK to use only one domain group during setup.
If they are using just one service account, are there any specific reasons
to use three different domain groups for a SQL Cluster setup?
Is there any documentation available that analyzes this subject in SQL
Clustering I can refer them to?
Thanks!
Camilo
I think I found the article I was looking for.
Thanks anyway!
Camilo
"Camilo" wrote:
> Hi there,
> My customer is currently setting up a two node cluster. Since they are
> planning to use the same domain account to start all services, they are
> wondering if it’s OK to use only one domain group during setup.
> If they are using just one service account, are there any specific reasons
> to use three different domain groups for a SQL Cluster setup?
> Is there any documentation available that analyzes this subject in SQL
> Clustering I can refer them to?
> Thanks!
> Camilo
>
Domain Groups For Clustering Service ?? SQL Server 2005
When I install the Cluster with Version of SQL 2005 CTP September ...
After the Service Accounts (Clusters) page,
Domain Groups For Clustering Service Page appears.
How Can i configure this page...there is no information about it on BOL of
SQL 2005
In my opinion , fill them with New SQL Groups is created when SQL Server
Installs such as
SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName
and SQLServer2005MSFTESQLUser$InstanceName.
But in this Phase, those group was not created automatically...
So, I try to generate those groups Manually, but Failed...with error message
like "One or more domain groups could not be verified ..."
And i Try to use Domain Admins...but Failed with same error messages...
i found about BOL directions in "Setup\help\1033" folder like follows
(
For each clustered service in the instance of SQL Server that you are
installing, enter the domain and group name in the format
<DomainName>\<GroupName>, subject to the following guidelines:
The domain and group names must already exist. If necessary, ask your domain
administrator for the names of existing domain groups, or to create domain
groups for your failover cluster.
The account under which SQL Server Setup is running must have privileges to
add accounts to the domain groups.
Each service should use a different domain group.
The SQL Server domain groups should not be shared with any other application.
Note that SQL Server accounts will not be removed from the groups if SQL
Server is uninstalled or if the accounts are changed. A domain administrator
must ensure that all unwanted accounts are removed following removal of SQL
Server.
)
So, I made three domain groups and put into builtin Administratos group.
and then proceed ahead.
Failed with same error messages...
help me...!!!
"JEYAI"?? ??? ??:
> When I install the Cluster with Version of SQL 2005 CTP September ...
> After the Service Accounts (Clusters) page,
> Domain Groups For Clustering Service Page appears.
> How Can i configure this page...there is no information about it on BOL of
> SQL 2005
> In my opinion , fill them with New SQL Groups is created when SQL Server
> Installs such as
> SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName
> and SQLServer2005MSFTESQLUser$InstanceName.
> But in this Phase, those group was not created automatically...
> So, I try to generate those groups Manually, but Failed...with error message
> like "One or more domain groups could not be verified ..."
> And i Try to use Domain Admins...but Failed with same error messages...
|||You need to manually add the service accounts you specify during setup into
the groups before running setup (if you're having this issue - you shouldn't
really have to do this). I had the exact same issue and manually adding the
service account to them worked fine. Generally there will be 3 groups
(SQLServer/Agent + FullText). If you use the same service account for the
services then just add that to each of the 3 domain groups you create.
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
news:79B54E21-BEB4-43E9-9880-7EAFE0FD5F92@.microsoft.com...[vbcol=seagreen]
>i found about BOL directions in "Setup\help\1033" folder like follows
> (
> For each clustered service in the instance of SQL Server that you are
> installing, enter the domain and group name in the format
> <DomainName>\<GroupName>, subject to the following guidelines:
> The domain and group names must already exist. If necessary, ask your
> domain
> administrator for the names of existing domain groups, or to create domain
> groups for your failover cluster.
>
> The account under which SQL Server Setup is running must have privileges
> to
> add accounts to the domain groups.
>
> Each service should use a different domain group.
>
> The SQL Server domain groups should not be shared with any other
> application.
>
> Note that SQL Server accounts will not be removed from the groups if SQL
> Server is uninstalled or if the accounts are changed. A domain
> administrator
> must ensure that all unwanted accounts are removed following removal of
> SQL
> Server.
> )
> So, I made three domain groups and put into builtin Administratos group.
> and then proceed ahead.
> Failed with same error messages...
> help me...!!!
> "JEYAI"? ? ?:
|||Thanks Jasper,
Following your directions,
I made three domain groups named as SQLUsers,AgentUsers,FTUsers
and put them into Built in Administrators group.
and then put the Service Account named as SQLService and administrator
account into three new groups.
But, in the page of Domain Groups For Clustering Service ,
Same Error message occured...
What did i miss ?
"Jasper Smith"?? ??? ??:
> You need to manually add the service accounts you specify during setup into
> the groups before running setup (if you're having this issue - you shouldn't
> really have to do this). I had the exact same issue and manually adding the
> service account to them worked fine. Generally there will be 3 groups
> (SQLServer/Agent + FullText). If you use the same service account for the
> services then just add that to each of the 3 domain groups you create.
> --
> HTH
> Jasper Smith (SQL Server MVP)
> http://www.sqldbatips.com
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
> "JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
> news:79B54E21-BEB4-43E9-9880-7EAFE0FD5F92@.microsoft.com...
>
>
|||The readme file describes this.
In section 3.5.15, there are descriptions of Security Groups and Domain
Controllers.
Microsoft SQL Server September 2005 Community Technology Preview
http://download.microsoft.com/downlo...up_issues_238p
Sincerely,
Anthony Thomas
"JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
news:5B999CCC-1E77-4F3D-B52B-E34DC95752BA@.microsoft.com...[vbcol=seagreen]
> Thanks Jasper,
> Following your directions,
> I made three domain groups named as SQLUsers,AgentUsers,FTUsers
> and put them into Built in Administrators group.
> and then put the Service Account named as SQLService and administrator
> account into three new groups.
> But, in the page of Domain Groups For Clustering Service ,
> Same Error message occured...
> What did i miss ?
> "Jasper Smith"? ? ?:
into[vbcol=seagreen]
shouldn't[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
domain[vbcol=seagreen]
privileges[vbcol=seagreen]
SQL[vbcol=seagreen]
of[vbcol=seagreen]
group.[vbcol=seagreen]
BOL[vbcol=seagreen]
Server[vbcol=seagreen]
SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName[vbcol=seagreen]
messages...[vbcol=seagreen]
After the Service Accounts (Clusters) page,
Domain Groups For Clustering Service Page appears.
How Can i configure this page...there is no information about it on BOL of
SQL 2005
In my opinion , fill them with New SQL Groups is created when SQL Server
Installs such as
SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName
and SQLServer2005MSFTESQLUser$InstanceName.
But in this Phase, those group was not created automatically...
So, I try to generate those groups Manually, but Failed...with error message
like "One or more domain groups could not be verified ..."
And i Try to use Domain Admins...but Failed with same error messages...
i found about BOL directions in "Setup\help\1033" folder like follows
(
For each clustered service in the instance of SQL Server that you are
installing, enter the domain and group name in the format
<DomainName>\<GroupName>, subject to the following guidelines:
The domain and group names must already exist. If necessary, ask your domain
administrator for the names of existing domain groups, or to create domain
groups for your failover cluster.
The account under which SQL Server Setup is running must have privileges to
add accounts to the domain groups.
Each service should use a different domain group.
The SQL Server domain groups should not be shared with any other application.
Note that SQL Server accounts will not be removed from the groups if SQL
Server is uninstalled or if the accounts are changed. A domain administrator
must ensure that all unwanted accounts are removed following removal of SQL
Server.
)
So, I made three domain groups and put into builtin Administratos group.
and then proceed ahead.
Failed with same error messages...
help me...!!!
"JEYAI"?? ??? ??:
> When I install the Cluster with Version of SQL 2005 CTP September ...
> After the Service Accounts (Clusters) page,
> Domain Groups For Clustering Service Page appears.
> How Can i configure this page...there is no information about it on BOL of
> SQL 2005
> In my opinion , fill them with New SQL Groups is created when SQL Server
> Installs such as
> SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName
> and SQLServer2005MSFTESQLUser$InstanceName.
> But in this Phase, those group was not created automatically...
> So, I try to generate those groups Manually, but Failed...with error message
> like "One or more domain groups could not be verified ..."
> And i Try to use Domain Admins...but Failed with same error messages...
|||You need to manually add the service accounts you specify during setup into
the groups before running setup (if you're having this issue - you shouldn't
really have to do this). I had the exact same issue and manually adding the
service account to them worked fine. Generally there will be 3 groups
(SQLServer/Agent + FullText). If you use the same service account for the
services then just add that to each of the 3 domain groups you create.
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
news:79B54E21-BEB4-43E9-9880-7EAFE0FD5F92@.microsoft.com...[vbcol=seagreen]
>i found about BOL directions in "Setup\help\1033" folder like follows
> (
> For each clustered service in the instance of SQL Server that you are
> installing, enter the domain and group name in the format
> <DomainName>\<GroupName>, subject to the following guidelines:
> The domain and group names must already exist. If necessary, ask your
> domain
> administrator for the names of existing domain groups, or to create domain
> groups for your failover cluster.
>
> The account under which SQL Server Setup is running must have privileges
> to
> add accounts to the domain groups.
>
> Each service should use a different domain group.
>
> The SQL Server domain groups should not be shared with any other
> application.
>
> Note that SQL Server accounts will not be removed from the groups if SQL
> Server is uninstalled or if the accounts are changed. A domain
> administrator
> must ensure that all unwanted accounts are removed following removal of
> SQL
> Server.
> )
> So, I made three domain groups and put into builtin Administratos group.
> and then proceed ahead.
> Failed with same error messages...
> help me...!!!
> "JEYAI"? ? ?:
|||Thanks Jasper,
Following your directions,
I made three domain groups named as SQLUsers,AgentUsers,FTUsers
and put them into Built in Administrators group.
and then put the Service Account named as SQLService and administrator
account into three new groups.
But, in the page of Domain Groups For Clustering Service ,
Same Error message occured...
What did i miss ?
"Jasper Smith"?? ??? ??:
> You need to manually add the service accounts you specify during setup into
> the groups before running setup (if you're having this issue - you shouldn't
> really have to do this). I had the exact same issue and manually adding the
> service account to them worked fine. Generally there will be 3 groups
> (SQLServer/Agent + FullText). If you use the same service account for the
> services then just add that to each of the 3 domain groups you create.
> --
> HTH
> Jasper Smith (SQL Server MVP)
> http://www.sqldbatips.com
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
> "JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
> news:79B54E21-BEB4-43E9-9880-7EAFE0FD5F92@.microsoft.com...
>
>
|||The readme file describes this.
In section 3.5.15, there are descriptions of Security Groups and Domain
Controllers.
Microsoft SQL Server September 2005 Community Technology Preview
http://download.microsoft.com/downlo...up_issues_238p
Sincerely,
Anthony Thomas
"JEYAI" <JEYAI@.discussions.microsoft.com> wrote in message
news:5B999CCC-1E77-4F3D-B52B-E34DC95752BA@.microsoft.com...[vbcol=seagreen]
> Thanks Jasper,
> Following your directions,
> I made three domain groups named as SQLUsers,AgentUsers,FTUsers
> and put them into Built in Administrators group.
> and then put the Service Account named as SQLService and administrator
> account into three new groups.
> But, in the page of Domain Groups For Clustering Service ,
> Same Error message occured...
> What did i miss ?
> "Jasper Smith"? ? ?:
into[vbcol=seagreen]
shouldn't[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
domain[vbcol=seagreen]
privileges[vbcol=seagreen]
SQL[vbcol=seagreen]
of[vbcol=seagreen]
group.[vbcol=seagreen]
BOL[vbcol=seagreen]
Server[vbcol=seagreen]
SQLServer2005MSSQLUser$InstanceName,SQLServer2005S QLAgentUser$InstanceName[vbcol=seagreen]
messages...[vbcol=seagreen]
Domain groups disabled by default. how to enable them by default?
Hello,
I notticed that to add a domain global group to a role, you first have to enable this type of object.
Also, I did convert a few cubes from 2000. I have a lot of domain groups associated with a lot of roles, the problem here is that the membership shows a UID instead of the group name because the group object is disabled.
1) How could I have the domain group object enabled by default in a new cube
2) How could I have te domain group object enabled in all existing roles so the system would be able to resolve them?
3) Where would be the place to find documentation and examples for the replacement of the old DSO that I was using to script my 2000 cubes.
Thanks,
Philippe
I beleive you a bit mistaken with what is going on.
The membership pane in Roles editor is invoking OS dialog when you try to add a user to a role. That is the same dialog you will see when you for instance try to change folder permissions in your hard drive.
What you can do is to open your database in SQL Management studio, click on the role you interested and then click on the Script. You will see XMLA script that you can use to change memebership in the role. You can manually change it to update group names. Analysis Server is agnostic to the name of the member. It will try to resolve it using windows API. Make sure you use domainname\username or domainname\groupname for members names in a role.
In Analysis Serivces 2005 you will use AMO object model to mange objects. But if you need a simple scripting solution, you might be fine with just using XMLA scripts.
Edward.
--
This posting is provided "AS IS" with no warranties, and confers no rights
Domain Groups and Windows Authentication
Hi
We are planning implementation of a currently Sybase db. The users (about 3600) will be i 5 domains and we want single sign-on through trusted connections. We want to use the database roles to define different user access on databases and tables. There will be around 2000 roles. We also want to add the users directly to the database roles without having to grant each user database access.
So I thought that I could add the user groups from all domains and then add each domain user account to specified database roles. Am I right here or what? The Windows authentication will lookup or check the users kerberos ticket during logon process and allow logon.
The documentation here is weak and I assume it's a windows authentication question but wondered if any of you guys had been down the same road.
For creating the groups I have the following options:
Create a domain group and put all the usergroups from the other domains in this group
Add user groups from all other domains directly into the SQL Server.
Any recommendations here?
YOu don′t need to add the single users to the database. If you put the domain groups (which contain the users) to the server and the database principles, SQL Server will take care of doing the authentication.
HTH, Jens K. Suessmeyer.
http://www.sqlserver2005.de
HI,
If you are adding your domain groups to your SQL Server and grant them to allow access of DB/objects then Windows Server will take care of logins to SQL Server tooo do not need to do anything separately.
Sunday, February 19, 2012
Domain Accounts
Is it possible to assign users to Active Directory groups
and have this one group account granted access in the
database with the appropriate permissions. As oppose to
having many individual Windows domain accounts.
Thanks,
AngelinaHi angelina
You can grant a login to a group as well as individuals see the
documentation for sp_grantlogin in Books online.
If you allow access to the group all member will have that permission and
therefore it is easier to administer.
John
"angelina" <anonymous@.discussions.microsoft.com> wrote in message
news:43f901c42b7f$249f7f10$a101280a@.phx.gbl...
> Is it possible to assign users to Active Directory groups
> and have this one group account granted access in the
> database with the appropriate permissions. As oppose to
> having many individual Windows domain accounts.
> Thanks,
> Angelina
and have this one group account granted access in the
database with the appropriate permissions. As oppose to
having many individual Windows domain accounts.
Thanks,
AngelinaHi angelina
You can grant a login to a group as well as individuals see the
documentation for sp_grantlogin in Books online.
If you allow access to the group all member will have that permission and
therefore it is easier to administer.
John
"angelina" <anonymous@.discussions.microsoft.com> wrote in message
news:43f901c42b7f$249f7f10$a101280a@.phx.gbl...
> Is it possible to assign users to Active Directory groups
> and have this one group account granted access in the
> database with the appropriate permissions. As oppose to
> having many individual Windows domain accounts.
> Thanks,
> Angelina
Subscribe to:
Posts (Atom)