Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
MediaPirate
Yak Posting Veteran
52 Posts |
 Posted - 2007-05-30 : 13:45:01
|
| We're building out a new SQL cluster and I'm working with our AD team to develop a secure environment using Windows Authentication only. I have created three "Global AD Groups" SQL Admins, SQL Read Only, SQL Service Accounts". The AD guys receive a request to add users to the groups and the DBA's grand SQL rolls to the accounts which map through the groups. So, in SQL security the 3 groups exist with the Admin group being assigned to the SA SQL roll. The DBA's have their AD domain accounts added as members to the SQL Admins group and that group is added to SQL as with the "SA roll".The real question :-) We use service accounts s-application to connect our application boxes to their respective SQL databases. If the service Global Group exists in SQL Logins, and the AD account is a member of the Group how would the DBA's grant "database rolls" to the AD accounts in the group? Wouldn't they just issue GRANT statements? I've detailed our setup better bellow. SQL Admins Container - SQL Admins - AD Account SQL SERVER - SQL Admins Container (Granted SQL server SA Roll) Database - AD account (Granted DBO rights) |
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-05-30 : 16:40:30
|
| You can only grant permission to sql login, it's AD group in this case. |
 |
|
|
|
|
|
SQL 2k5 ENT , Domain Global Group