I have a test environment set up at home with a small windows server 2003 Active Directory domain. I created a windows security group on the dc and added myself and another user to the group. I then use this group as a login for SQL Server and add the login to the sysadmin server role. This works exactly as I would expect on the Windows Server computer (which is also the Domain Controller) regardless of which computer I use to connect to this Windows Server computer. However, when I set up the exact same login on the local sql server instance of my client laptop running windows xp pro, the I get an error message (Login failed for user MYDOMAIN\dgolds...) when I attempt to connect to the local instance of SQL server, even though I am able to connect to the instance on the domain controller with no problems using this same client laptop under the same user account. The only way I am able to connect locally on the laptop under this account (which does not have local admin privileges on any box, for testing purposes) is to add the user account separately as a login, rather than as part of a group. I'm curious as to why being a member of a security group that is part of the sysadmin server role does not allow me to connect to the local instance of SQL Server on this client laptop. The windows server computer is running SQL2k5 Enterprise, and the client laptop is running SQL2k5 developer. Any insight into this would be appreciated.
Thanks,
Dave
Let's focus on the laptop for a moment, becuase that seems to be where your question is. Is all this true?
1. You have an instance of SQL Server on the laptop
2. You have a user (UserA) in a Windows group (GroupA)
3. The Windows Group (GroupA) has been added as a login to SQL Server as a Windows account
4. When UserA tries to log in to the local instance of SQL Server on the laptop, they can't get in
5. If you add UserA to the local Instance of SQL Server on the laptop, they can get in
Do I have all that right?
|||All of that is correct.
Thanks,
-Dave
|||Then let me ask a few more questions:
1. Is the user a domain Windows user?
2. Which service accounts did you use to start SQL Server on the laptop? Are they starting with a user account or the localsystem account?
|||The user is a domain Windows user. Originally the laptop was using the local system account as its service account, but I thought that might be the problem so I tried using the same service account (a domain user account that I configured specifically as a SQL Server Service Account) that I use on the server, but unfortunately I got the same results.
Thanks,
-Dave
|||OK - I think we're getting closer. I'm going to assume the laptop is on the domain, since you say you've added that Windows group to SQL Server as a login. Does the account that you are starting SQL Server with on the laptop have the ability to resolve network names?
To help investigate your problem, make sure you check the logs the system creates. You can read more about that here:
http://www.informit.com/guides/content.asp?g=sqlserver&seqNum=242&rl=1
|||The laptop is definitely on the domain. As far as the account that I am starting SQL Server with on the laptop having the ability to resolve network names, I'm not sure-how would I find that out?
Thanks,
Dave
|||I'm sure there's an easier way, but I normally just log on as that user, create a local group and then try to add someone from the domain to that local group.|||Hi,
The SQL Server Service Account that I'm using does have the ability to resolve network names on the laptop.
Thanks,
-Dave
|||Very odd. At this point, it sounds like you're doing everything properly. It has to be something to do with the security policies on that machine, but without access to it I'm afraid it would take a lot of back-and-forth to figure out where it is. I would suggest checking the logs for the system, using the techniques I outline in this guide:
http://www.informit.com/guides/content.asp?g=sqlserver&seqNum=242&rl=1
If that doesn't help point out the issue, then you may have to open a support call so that someone can gain access to your machine. sorry that I couldn't be more help here.
|||Dave, I don't know if this will help, but could you check the error message for the login failure in the ERRORLOG file and post here the two lines that describe the state and message of the error?
Thanks
Laurentiu
Thanks for all the suggestions. It turns out that there was something going on with this group (I'm not sure what). I created another group in the same Active Directory location with the same users as members and it works fine.
Thanks,
-Dave
No comments:
Post a Comment