Hi,
I saw in this or the SQL Server Security news group that it's recommended to
store auditing logs on an unused disk drive because auditing logs could grow
wildly. But based on this article
http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
SQL Server doesn't let you log auditable events to an alternative location.
<QUOTE>After you enable C2 auditing for the default database or for an
instance, the database server will log all activity to the data directory
that you specified during the installation process. (SQL Server doesn't let
you log auditable events to an alternative location.) This directory holds
the databases that SQL Server initially created. This directory is also the
default location for all new databases and their transaction log
files.</QUOTE>
Now I'm confused. I have data/transaction logs on one drive, I'm planning
to add additional disk drive specifically for auditing. Is it possible to
direct auditing logs to the new drive?
Thanks,
Bing
Hi Bing
"bing" wrote:
> Hi,
> I saw in this or the SQL Server Security news group that it's recommended to
> store auditing logs on an unused disk drive because auditing logs could grow
> wildly. But based on this article
> http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
> SQL Server doesn't let you log auditable events to an alternative location.
>
> <QUOTE>After you enable C2 auditing for the default database or for an
> instance, the database server will log all activity to the data directory
> that you specified during the installation process. (SQL Server doesn't let
> you log auditable events to an alternative location.) This directory holds
> the databases that SQL Server initially created. This directory is also the
> default location for all new databases and their transaction log
> files.</QUOTE>
> Now I'm confused. I have data/transaction logs on one drive, I'm planning
> to add additional disk drive specifically for auditing. Is it possible to
> direct auditing logs to the new drive?
> Thanks,
> Bing
If you change the default data and log directories in the Database
properties task in Enterprise Manager on the properties page of the instance
(right click) do new audit files get created their (you may need to restart)?
If not you can move the databases away from this location using
sp_detach_db/sp_attach_db or backup/restore see
http://support.microsoft.com/kb/314546. When you do the initial install, the
default location is the system disc e.g. C:\Program Files\Microsoft SQL
Server... this should be changed as filling up the system disc with audit
logs will make the system unusable.
You can move system databases (possibly to different spindles!) as well as
user databases http://support.microsoft.com/kb/224071/ and using different
discs for full text catalogs will also be a way of improving performance
http://support.microsoft.com/kb/240867/ Database data files and log files
should be on separate drive arrays as they perform different types of I/O
http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlIObasics.mspx
You should also consider what RAID level and resilience you require for
these disc subsystems.
John
Showing posts with label group. Show all posts
Showing posts with label group. Show all posts
Monday, March 19, 2012
Location for audit logs?
Hi,
I saw in this or the SQL Server Security news group that it's recommended to
store auditing logs on an unused disk drive because auditing logs could grow
wildly. But based on this article
http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
SQL Server doesn't let you log auditable events to an alternative location.
<QUOTE>After you enable C2 auditing for the default database or for an
instance, the database server will log all activity to the data directory
that you specified during the installation process. (SQL Server doesn't let
you log auditable events to an alternative location.) This directory holds
the databases that SQL Server initially created. This directory is also the
default location for all new databases and their transaction log
files.</QUOTE>
Now I'm confused. I have data/transaction logs on one drive, I'm planning
to add additional disk drive specifically for auditing. Is it possible to
direct auditing logs to the new drive?
Thanks,
BingHi Bing
"bing" wrote:
> Hi,
> I saw in this or the SQL Server Security news group that it's recommended to
> store auditing logs on an unused disk drive because auditing logs could grow
> wildly. But based on this article
> http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
> SQL Server doesn't let you log auditable events to an alternative location.
>
> <QUOTE>After you enable C2 auditing for the default database or for an
> instance, the database server will log all activity to the data directory
> that you specified during the installation process. (SQL Server doesn't let
> you log auditable events to an alternative location.) This directory holds
> the databases that SQL Server initially created. This directory is also the
> default location for all new databases and their transaction log
> files.</QUOTE>
> Now I'm confused. I have data/transaction logs on one drive, I'm planning
> to add additional disk drive specifically for auditing. Is it possible to
> direct auditing logs to the new drive?
> Thanks,
> Bing
If you change the default data and log directories in the Database
properties task in Enterprise Manager on the properties page of the instance
(right click) do new audit files get created their (you may need to restart)?
If not you can move the databases away from this location using
sp_detach_db/sp_attach_db or backup/restore see
http://support.microsoft.com/kb/314546. When you do the initial install, the
default location is the system disc e.g. C:\Program Files\Microsoft SQL
Server... this should be changed as filling up the system disc with audit
logs will make the system unusable.
You can move system databases (possibly to different spindles!) as well as
user databases http://support.microsoft.com/kb/224071/ and using different
discs for full text catalogs will also be a way of improving performance
http://support.microsoft.com/kb/240867/ Database data files and log files
should be on separate drive arrays as they perform different types of I/O
http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlIObasics.mspx
You should also consider what RAID level and resilience you require for
these disc subsystems.
John
I saw in this or the SQL Server Security news group that it's recommended to
store auditing logs on an unused disk drive because auditing logs could grow
wildly. But based on this article
http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
SQL Server doesn't let you log auditable events to an alternative location.
<QUOTE>After you enable C2 auditing for the default database or for an
instance, the database server will log all activity to the data directory
that you specified during the installation process. (SQL Server doesn't let
you log auditable events to an alternative location.) This directory holds
the databases that SQL Server initially created. This directory is also the
default location for all new databases and their transaction log
files.</QUOTE>
Now I'm confused. I have data/transaction logs on one drive, I'm planning
to add additional disk drive specifically for auditing. Is it possible to
direct auditing logs to the new drive?
Thanks,
BingHi Bing
"bing" wrote:
> Hi,
> I saw in this or the SQL Server Security news group that it's recommended to
> store auditing logs on an unused disk drive because auditing logs could grow
> wildly. But based on this article
> http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx,
> SQL Server doesn't let you log auditable events to an alternative location.
>
> <QUOTE>After you enable C2 auditing for the default database or for an
> instance, the database server will log all activity to the data directory
> that you specified during the installation process. (SQL Server doesn't let
> you log auditable events to an alternative location.) This directory holds
> the databases that SQL Server initially created. This directory is also the
> default location for all new databases and their transaction log
> files.</QUOTE>
> Now I'm confused. I have data/transaction logs on one drive, I'm planning
> to add additional disk drive specifically for auditing. Is it possible to
> direct auditing logs to the new drive?
> Thanks,
> Bing
If you change the default data and log directories in the Database
properties task in Enterprise Manager on the properties page of the instance
(right click) do new audit files get created their (you may need to restart)?
If not you can move the databases away from this location using
sp_detach_db/sp_attach_db or backup/restore see
http://support.microsoft.com/kb/314546. When you do the initial install, the
default location is the system disc e.g. C:\Program Files\Microsoft SQL
Server... this should be changed as filling up the system disc with audit
logs will make the system unusable.
You can move system databases (possibly to different spindles!) as well as
user databases http://support.microsoft.com/kb/224071/ and using different
discs for full text catalogs will also be a way of improving performance
http://support.microsoft.com/kb/240867/ Database data files and log files
should be on separate drive arrays as they perform different types of I/O
http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlIObasics.mspx
You should also consider what RAID level and resilience you require for
these disc subsystems.
John
Location for audit logs?
Hi,
I saw in this or the SQL Server Security news group that it's recommended to
store auditing logs on an unused disk drive because auditing logs could grow
wildly. But based on this article
http://www.microsoft.com/technet/se.../sql2kaud.mspx,
SQL Server doesn't let you log auditable events to an alternative location.
<QUOTE>After you enable C2 auditing for the default database or for an
instance, the database server will log all activity to the data directory
that you specified during the installation process. (SQL Server doesn't let
you log auditable events to an alternative location.) This directory holds
the databases that SQL Server initially created. This directory is also the
default location for all new databases and their transaction log
files.</QUOTE>
Now I'm confused. I have data/transaction logs on one drive, I'm planning
to add additional disk drive specifically for auditing. Is it possible to
direct auditing logs to the new drive?
Thanks,
BingHi Bing
"bing" wrote:
> Hi,
> I saw in this or the SQL Server Security news group that it's recommended
to
> store auditing logs on an unused disk drive because auditing logs could gr
ow
> wildly. But based on this article
> If you change the default data and log directories in the Databaseproperties task in Enterprise Manager on the properties page of the instance(right click) do new audit files get created their (you may need to restart)?If not you can move the databases away from this location usingsp_detach_db/sp_attach_db or backup/restore see[url]http://support.microsoft.com/kb/314546." target="_blank">http://www.microsoft.com/technet/se...com/kb/314546. When you do the initial install, the
default location is the system disc e.g. C:\Program Files\Microsoft SQL
Server... this should be changed as filling up the system disc with audit
logs will make the system unusable.
You can move system databases (possibly to different spindles!) as well as
user databases http://support.microsoft.com/kb/224071/ and using different
discs for full text catalogs will also be a way of improving performance
http://support.microsoft.com/kb/240867/ Database data files and log files
should be on separate drive arrays as they perform different types of I/O
[url]http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlIObasics.mspx[/u
rl]
You should also consider what RAID level and resilience you require for
these disc subsystems.
John
I saw in this or the SQL Server Security news group that it's recommended to
store auditing logs on an unused disk drive because auditing logs could grow
wildly. But based on this article
http://www.microsoft.com/technet/se.../sql2kaud.mspx,
SQL Server doesn't let you log auditable events to an alternative location.
<QUOTE>After you enable C2 auditing for the default database or for an
instance, the database server will log all activity to the data directory
that you specified during the installation process. (SQL Server doesn't let
you log auditable events to an alternative location.) This directory holds
the databases that SQL Server initially created. This directory is also the
default location for all new databases and their transaction log
files.</QUOTE>
Now I'm confused. I have data/transaction logs on one drive, I'm planning
to add additional disk drive specifically for auditing. Is it possible to
direct auditing logs to the new drive?
Thanks,
BingHi Bing
"bing" wrote:
> Hi,
> I saw in this or the SQL Server Security news group that it's recommended
to
> store auditing logs on an unused disk drive because auditing logs could gr
ow
> wildly. But based on this article
> If you change the default data and log directories in the Databaseproperties task in Enterprise Manager on the properties page of the instance(right click) do new audit files get created their (you may need to restart)?If not you can move the databases away from this location usingsp_detach_db/sp_attach_db or backup/restore see[url]http://support.microsoft.com/kb/314546." target="_blank">http://www.microsoft.com/technet/se...com/kb/314546. When you do the initial install, the
default location is the system disc e.g. C:\Program Files\Microsoft SQL
Server... this should be changed as filling up the system disc with audit
logs will make the system unusable.
You can move system databases (possibly to different spindles!) as well as
user databases http://support.microsoft.com/kb/224071/ and using different
discs for full text catalogs will also be a way of improving performance
http://support.microsoft.com/kb/240867/ Database data files and log files
should be on separate drive arrays as they perform different types of I/O
[url]http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlIObasics.mspx[/u
rl]
You should also consider what RAID level and resilience you require for
these disc subsystems.
John
Monday, March 12, 2012
Localization and BUILTIN groups
Is there a synonym for the group BUILTIN\Users which can be used for GRANT ... TO and sp_grantlogin/sp_grantdbaccess, but which will work on localized computers?
I have a number of automated unit tests I wish to run on two different computers. The process involves recreating a database if it does not exist and then granting access and privileges to the BUILTIN\Users group.
The problem is that one computer is installed with a Swedish Windows XP Professional (the users group is called BUILTIN\Anv?ndare) and the other is an English WinXP MCE (the group is called BUILTIN\Users) so I cannot easily script this.
An alternative is to be able to retrieve the respective name through a .NET class or the Windows API.
Is any of this possible?
Thanks,
Johan
synonyms can be used only to securables residing inside a schema not principals or users.
you can however rename a login to a more friendly name inside a datbase using sp_grant dbaccess
Examples
This example adds an account for the Windows NT user Corporate\GeorgeW to the current database and gives it the name Georgie.
EXEC sp_grantdbaccess 'Corporate\GeorgeW', 'Georgie'|||So there's no way to refer to BUILTIN\Users without knowing what language OS the machine has installed?
This works on an English OS only:
execute sp_grantlogin [BUILTIN\Users];
execute sp_grantdbaccess [BUILTIN\Users];.. and this on a Swedish OS:
execute sp_grantlogin [BUILTIN\Anv?ndare];
execute sp_grantdbaccess [BUILTIN\Anv?ndare];|||
run both statement and
put it in a try... catch.. block...
i mean use error handling
|||Good thinking!Thanks|||
Actually you don't need to use try..catch at all. All Windows operating systems have certain number of well-known groups / users. These are universal and the SIDs for those are also the same across machines/windows OSes. So in your case, just do the following:
declare @.builtin_admins nvarchar(128)
set @.builtin_admins = suser_sname(0x01020000000000052000000020020000)
exec sp_grantdbaccess @.builtin_admins
declare @.builtin_users nvarchar(128)
set @.builtin_users = suser_name(0x01020000000000052000000021020000)
exec sp_grantdbaccess @.builtin_users
The SID values are the well-known values that will not change and you can use that to lookup the name. This will not work for user-defined groups.
|||That does it for me.Thanks a million.
Friday, March 9, 2012
LocalAdmins, LocalSystem, and the sysadmin role
During SQL Server 2005 installation, several logins are added to the
sysadmin role including:
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa.
A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.
Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role for hardening purposes, and - if this
were to be done - what are the consequences?
Thanks in advance (and apologies for re-posting in hopes of a response),
DrewHello Drew,
Yes, generally we remove local administrator group from sysadmin role which
actually prevent accessing sql server who is having system admini privilages
on the server.
Now personally I prefer not to remove Local System as I was facing problem
while using the full-text search. Please refer the following Microsoft
article.
http://support.microsoft.com/kb/317746
Hope this will help you.
Regards,
MB
"DHamre" <dhamre@.comcast.net> wrote in message
news:%23Au%23cyMMHHA.3424@.TK2MSFTNGP02.phx.gbl...
> During SQL Server 2005 installation, several logins are added to the
> sysadmin role including:
> - local administrator group (BUILTIN\Administrators),
> - Local System (NT AUTHORITY\SYSTEM), and
> - sa.
> A common hardening practice is to later remove the local administrator
> group from the sysadmin role, thereby separating server administration
> from DBMS administration. However, I don't recall ever seeing the
> recommendation to also remove the LocalSystem account from the sysadmin
> role.
> Has anyone seen recommendations to remove BOTH local administrators and
> LocalSystem from the sysadmin role for hardening purposes, and - if this
> were to be done - what are the consequences?
> Thanks in advance (and apologies for re-posting in hopes of a response),
> Drew
>
sysadmin role including:
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa.
A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.
Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role for hardening purposes, and - if this
were to be done - what are the consequences?
Thanks in advance (and apologies for re-posting in hopes of a response),
DrewHello Drew,
Yes, generally we remove local administrator group from sysadmin role which
actually prevent accessing sql server who is having system admini privilages
on the server.
Now personally I prefer not to remove Local System as I was facing problem
while using the full-text search. Please refer the following Microsoft
article.
http://support.microsoft.com/kb/317746
Hope this will help you.
Regards,
MB
"DHamre" <dhamre@.comcast.net> wrote in message
news:%23Au%23cyMMHHA.3424@.TK2MSFTNGP02.phx.gbl...
> During SQL Server 2005 installation, several logins are added to the
> sysadmin role including:
> - local administrator group (BUILTIN\Administrators),
> - Local System (NT AUTHORITY\SYSTEM), and
> - sa.
> A common hardening practice is to later remove the local administrator
> group from the sysadmin role, thereby separating server administration
> from DBMS administration. However, I don't recall ever seeing the
> recommendation to also remove the LocalSystem account from the sysadmin
> role.
> Has anyone seen recommendations to remove BOTH local administrators and
> LocalSystem from the sysadmin role for hardening purposes, and - if this
> were to be done - what are the consequences?
> Thanks in advance (and apologies for re-posting in hopes of a response),
> Drew
>
Friday, February 24, 2012
Local group permissions
Hi,
Is it possible to grant role assignment to report server local groups in
SSRS 2000? if so, how? I can't do it.
Thanks
AlexI managed to set local group policy only by adding the users to a
server-level group and then assign that group permissions. The same can be
done by adding individual accounts to the server itself, but I was unable to
create groups within RS itself.
Hope this assists,
"Alex" wrote:
> Hi,
> Is it possible to grant role assignment to report server local groups in
> SSRS 2000? if so, how? I can't do it.
> Thanks
> Alex
>
>|||Is is possible to restrict group rights per report using domain groups.
If I want a particular user to be able to view one or two reports and those
alone without viewing other reports, how would I attempt this. Say I want
only Sales see the sales reports, payroll to see only payroll, Tech Support
to see Tech Support and etc...
is this possible?
Regards,
Samson
"Logicalman" wrote:
> I managed to set local group policy only by adding the users to a
> server-level group and then assign that group permissions. The same can be
> done by adding individual accounts to the server itself, but I was unable to
> create groups within RS itself.
> Hope this assists,
> "Alex" wrote:
> > Hi,
> >
> > Is it possible to grant role assignment to report server local groups in
> > SSRS 2000? if so, how? I can't do it.
> >
> > Thanks
> > Alex
> >
> >
> >|||Samson,
Yes, you simply add the user to the group having permission on that report.
Be aware though, that by adding the user to that group he/she will then be
able to view ALL reports that particular group has permissions to.
example.
Report 1
Report 2
Report 3
Report 4
Group A
Group B
If Group A is given permission to browse Reports 1 and 2, and Group B is
given permission to view Reports 2,3 and 4.
By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
adding User z to Group B he/she will have access to Reports 2,3 and 4.
If you want User Y to view Report 2 only, and no other Reports, then you
will need to either add that user directly to Report 2, or create a new Group
C, and assign permissions to Group C to view Report 2.
Again, such Gropus may be part of the Active Directory or the Server.
I hope this clears up any ambiguity.
"Samson" wrote:
> Is is possible to restrict group rights per report using domain groups.
> If I want a particular user to be able to view one or two reports and those
> alone without viewing other reports, how would I attempt this. Say I want
> only Sales see the sales reports, payroll to see only payroll, Tech Support
> to see Tech Support and etc...
> is this possible?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > I managed to set local group policy only by adding the users to a
> > server-level group and then assign that group permissions. The same can be
> > done by adding individual accounts to the server itself, but I was unable to
> > create groups within RS itself.
> >
> > Hope this assists,
> >
> > "Alex" wrote:
> >
> > > Hi,
> > >
> > > Is it possible to grant role assignment to report server local groups in
> > > SSRS 2000? if so, how? I can't do it.
> > >
> > > Thanks
> > > Alex
> > >
> > >
> > >|||That is good news. I guess my question is how. I created 3 users groups,
sales, techs, payroll.
How do I set the permission on the particular folder that holds the reports?
Regards,
Samson
"Logicalman" wrote:
> Samson,
> Yes, you simply add the user to the group having permission on that report.
> Be aware though, that by adding the user to that group he/she will then be
> able to view ALL reports that particular group has permissions to.
> example.
> Report 1
> Report 2
> Report 3
> Report 4
> Group A
> Group B
> If Group A is given permission to browse Reports 1 and 2, and Group B is
> given permission to view Reports 2,3 and 4.
> By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> adding User z to Group B he/she will have access to Reports 2,3 and 4.
> If you want User Y to view Report 2 only, and no other Reports, then you
> will need to either add that user directly to Report 2, or create a new Group
> C, and assign permissions to Group C to view Report 2.
> Again, such Gropus may be part of the Active Directory or the Server.
> I hope this clears up any ambiguity.
>
> "Samson" wrote:
> > Is is possible to restrict group rights per report using domain groups.
> >
> > If I want a particular user to be able to view one or two reports and those
> > alone without viewing other reports, how would I attempt this. Say I want
> > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > to see Tech Support and etc...
> >
> > is this possible?
> >
> >
> > --
> > Regards,
> >
> > Samson
> >
> >
> > "Logicalman" wrote:
> >
> > > I managed to set local group policy only by adding the users to a
> > > server-level group and then assign that group permissions. The same can be
> > > done by adding individual accounts to the server itself, but I was unable to
> > > create groups within RS itself.
> > >
> > > Hope this assists,
> > >
> > > "Alex" wrote:
> > >
> > > > Hi,
> > > >
> > > > Is it possible to grant role assignment to report server local groups in
> > > > SSRS 2000? if so, how? I can't do it.
> > > >
> > > > Thanks
> > > > Alex
> > > >
> > > >
> > > >|||I think after reading youtr post again I can set the permission within the
report as well. I think I understand now.
Regards,
Samson
"Samson" wrote:
> That is good news. I guess my question is how. I created 3 users groups,
> sales, techs, payroll.
> How do I set the permission on the particular folder that holds the reports?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > Samson,
> >
> > Yes, you simply add the user to the group having permission on that report.
> > Be aware though, that by adding the user to that group he/she will then be
> > able to view ALL reports that particular group has permissions to.
> > example.
> > Report 1
> > Report 2
> > Report 3
> > Report 4
> >
> > Group A
> > Group B
> >
> > If Group A is given permission to browse Reports 1 and 2, and Group B is
> > given permission to view Reports 2,3 and 4.
> > By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> > adding User z to Group B he/she will have access to Reports 2,3 and 4.
> >
> > If you want User Y to view Report 2 only, and no other Reports, then you
> > will need to either add that user directly to Report 2, or create a new Group
> > C, and assign permissions to Group C to view Report 2.
> > Again, such Gropus may be part of the Active Directory or the Server.
> >
> > I hope this clears up any ambiguity.
> >
> >
> > "Samson" wrote:
> >
> > > Is is possible to restrict group rights per report using domain groups.
> > >
> > > If I want a particular user to be able to view one or two reports and those
> > > alone without viewing other reports, how would I attempt this. Say I want
> > > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > > to see Tech Support and etc...
> > >
> > > is this possible?
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Samson
> > >
> > >
> > > "Logicalman" wrote:
> > >
> > > > I managed to set local group policy only by adding the users to a
> > > > server-level group and then assign that group permissions. The same can be
> > > > done by adding individual accounts to the server itself, but I was unable to
> > > > create groups within RS itself.
> > > >
> > > > Hope this assists,
> > > >
> > > > "Alex" wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is it possible to grant role assignment to report server local groups in
> > > > > SSRS 2000? if so, how? I can't do it.
> > > > >
> > > > > Thanks
> > > > > Alex
> > > > >
> > > > >
> > > > >
Is it possible to grant role assignment to report server local groups in
SSRS 2000? if so, how? I can't do it.
Thanks
AlexI managed to set local group policy only by adding the users to a
server-level group and then assign that group permissions. The same can be
done by adding individual accounts to the server itself, but I was unable to
create groups within RS itself.
Hope this assists,
"Alex" wrote:
> Hi,
> Is it possible to grant role assignment to report server local groups in
> SSRS 2000? if so, how? I can't do it.
> Thanks
> Alex
>
>|||Is is possible to restrict group rights per report using domain groups.
If I want a particular user to be able to view one or two reports and those
alone without viewing other reports, how would I attempt this. Say I want
only Sales see the sales reports, payroll to see only payroll, Tech Support
to see Tech Support and etc...
is this possible?
Regards,
Samson
"Logicalman" wrote:
> I managed to set local group policy only by adding the users to a
> server-level group and then assign that group permissions. The same can be
> done by adding individual accounts to the server itself, but I was unable to
> create groups within RS itself.
> Hope this assists,
> "Alex" wrote:
> > Hi,
> >
> > Is it possible to grant role assignment to report server local groups in
> > SSRS 2000? if so, how? I can't do it.
> >
> > Thanks
> > Alex
> >
> >
> >|||Samson,
Yes, you simply add the user to the group having permission on that report.
Be aware though, that by adding the user to that group he/she will then be
able to view ALL reports that particular group has permissions to.
example.
Report 1
Report 2
Report 3
Report 4
Group A
Group B
If Group A is given permission to browse Reports 1 and 2, and Group B is
given permission to view Reports 2,3 and 4.
By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
adding User z to Group B he/she will have access to Reports 2,3 and 4.
If you want User Y to view Report 2 only, and no other Reports, then you
will need to either add that user directly to Report 2, or create a new Group
C, and assign permissions to Group C to view Report 2.
Again, such Gropus may be part of the Active Directory or the Server.
I hope this clears up any ambiguity.
"Samson" wrote:
> Is is possible to restrict group rights per report using domain groups.
> If I want a particular user to be able to view one or two reports and those
> alone without viewing other reports, how would I attempt this. Say I want
> only Sales see the sales reports, payroll to see only payroll, Tech Support
> to see Tech Support and etc...
> is this possible?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > I managed to set local group policy only by adding the users to a
> > server-level group and then assign that group permissions. The same can be
> > done by adding individual accounts to the server itself, but I was unable to
> > create groups within RS itself.
> >
> > Hope this assists,
> >
> > "Alex" wrote:
> >
> > > Hi,
> > >
> > > Is it possible to grant role assignment to report server local groups in
> > > SSRS 2000? if so, how? I can't do it.
> > >
> > > Thanks
> > > Alex
> > >
> > >
> > >|||That is good news. I guess my question is how. I created 3 users groups,
sales, techs, payroll.
How do I set the permission on the particular folder that holds the reports?
Regards,
Samson
"Logicalman" wrote:
> Samson,
> Yes, you simply add the user to the group having permission on that report.
> Be aware though, that by adding the user to that group he/she will then be
> able to view ALL reports that particular group has permissions to.
> example.
> Report 1
> Report 2
> Report 3
> Report 4
> Group A
> Group B
> If Group A is given permission to browse Reports 1 and 2, and Group B is
> given permission to view Reports 2,3 and 4.
> By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> adding User z to Group B he/she will have access to Reports 2,3 and 4.
> If you want User Y to view Report 2 only, and no other Reports, then you
> will need to either add that user directly to Report 2, or create a new Group
> C, and assign permissions to Group C to view Report 2.
> Again, such Gropus may be part of the Active Directory or the Server.
> I hope this clears up any ambiguity.
>
> "Samson" wrote:
> > Is is possible to restrict group rights per report using domain groups.
> >
> > If I want a particular user to be able to view one or two reports and those
> > alone without viewing other reports, how would I attempt this. Say I want
> > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > to see Tech Support and etc...
> >
> > is this possible?
> >
> >
> > --
> > Regards,
> >
> > Samson
> >
> >
> > "Logicalman" wrote:
> >
> > > I managed to set local group policy only by adding the users to a
> > > server-level group and then assign that group permissions. The same can be
> > > done by adding individual accounts to the server itself, but I was unable to
> > > create groups within RS itself.
> > >
> > > Hope this assists,
> > >
> > > "Alex" wrote:
> > >
> > > > Hi,
> > > >
> > > > Is it possible to grant role assignment to report server local groups in
> > > > SSRS 2000? if so, how? I can't do it.
> > > >
> > > > Thanks
> > > > Alex
> > > >
> > > >
> > > >|||I think after reading youtr post again I can set the permission within the
report as well. I think I understand now.
Regards,
Samson
"Samson" wrote:
> That is good news. I guess my question is how. I created 3 users groups,
> sales, techs, payroll.
> How do I set the permission on the particular folder that holds the reports?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > Samson,
> >
> > Yes, you simply add the user to the group having permission on that report.
> > Be aware though, that by adding the user to that group he/she will then be
> > able to view ALL reports that particular group has permissions to.
> > example.
> > Report 1
> > Report 2
> > Report 3
> > Report 4
> >
> > Group A
> > Group B
> >
> > If Group A is given permission to browse Reports 1 and 2, and Group B is
> > given permission to view Reports 2,3 and 4.
> > By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> > adding User z to Group B he/she will have access to Reports 2,3 and 4.
> >
> > If you want User Y to view Report 2 only, and no other Reports, then you
> > will need to either add that user directly to Report 2, or create a new Group
> > C, and assign permissions to Group C to view Report 2.
> > Again, such Gropus may be part of the Active Directory or the Server.
> >
> > I hope this clears up any ambiguity.
> >
> >
> > "Samson" wrote:
> >
> > > Is is possible to restrict group rights per report using domain groups.
> > >
> > > If I want a particular user to be able to view one or two reports and those
> > > alone without viewing other reports, how would I attempt this. Say I want
> > > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > > to see Tech Support and etc...
> > >
> > > is this possible?
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Samson
> > >
> > >
> > > "Logicalman" wrote:
> > >
> > > > I managed to set local group policy only by adding the users to a
> > > > server-level group and then assign that group permissions. The same can be
> > > > done by adding individual accounts to the server itself, but I was unable to
> > > > create groups within RS itself.
> > > >
> > > > Hope this assists,
> > > >
> > > > "Alex" wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is it possible to grant role assignment to report server local groups in
> > > > > SSRS 2000? if so, how? I can't do it.
> > > > >
> > > > > Thanks
> > > > > Alex
> > > > >
> > > > >
> > > > >
local computer Admin through AMO?
Hi everybody.
I know that members of the Administrators local group of the local computer where SQL Server 2005 is installed are automatically members of the server role in an instance of Analysis Services.
My problem is that in my application, through AMO I am able to see the Analysis Services server administrator added explicitally in the server role, ma am not able to obtain also the ones who are AS server administrators because inherit from the Administrators local group.
Does anyone can suggest me how to obtain also this list, through AMO, ADOMD.NET or something else?
Thank you so much.
Your statement "members of the Administrators local group of the local computer where SQL Server 2005 is installed are automatically members of the server role" is not entirely correct.
Yes, members of local Administrators group are AS admins, but that is not through membership in the server role. Actually after installation the server role membership is empty. The local Administrators are just given the admn right to AS bypassing the server role membership.
You can use server property BuiltinAdminsAreServerAdmins to revoke rights of local admins.
Edward Melomed.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Thank you very much for your kind answer.
Actually the property BuiltinAdminsAreServerAdmins is very useful for us to check if the local admins are also AS admins or not.
Our application wouldn't like to prevent this behaviour, but simply needs to retrieve all the AS admins: both the ones added in the server role, both the ones who have the admin rights bypassing the server role membership, because inherit from the local group, if the BuiltinAdminsAreServerAdmins is set to True.
Could you suggest us a way? Maybe we should directly extract the members of the local admin group? Do you know a way to do this, because I am not aware of such an instruction (we are using C#).
Thank you very much.
|||
Yes, you would have to query for the memebership in the local admin group.
Some simple search should give you quite a few C# samples like this one http://www.thecodeproject.com/csharp/groupandmembers.asp. I am sure you would find more.
Edward Melomed.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Monday, February 20, 2012
local administrators group and domain administrators group
What is the difference between local administrators group and domain
administrators group?Members of the local administrators group are administrators
for that individual local server.
Members of the domain administrators group are
administrators for the domain (not just the one server).
-Sue
On Mon, 3 Oct 2005 20:37:03 -0700, Joe
<Joe@.discussions.microsoft.com> wrote:
>What is the difference between local administrators group and domain
>administrators group?
administrators group?Members of the local administrators group are administrators
for that individual local server.
Members of the domain administrators group are
administrators for the domain (not just the one server).
-Sue
On Mon, 3 Oct 2005 20:37:03 -0700, Joe
<Joe@.discussions.microsoft.com> wrote:
>What is the difference between local administrators group and domain
>administrators group?
Local Admin Rights
Quick question...
Are members of the servers local admins group by default
members of the sysadmins role'
If so, does a login account still need to be made on the
sql server in order for that user to function properly
within sql?
thanks.Hi,
Yes, But default the BUILDIN\Administrators will be having 'sysadmin' SQL
Serevr server role.
Obviously you can use this accout to access sql server.
Since this user is powerful it is not safe to provide this Login id to
Developers. So is always advisable to create a group specifically meant for
developers with less privileges.
Thanks
Hari
MCDBA
"JRD" <anonymous@.discussions.microsoft.com> wrote in message
news:98ca01c3ea6f$05b73cb0$a601280a@.phx.gbl...
Are members of the servers local admins group by default
members of the sysadmins role'
If so, does a login account still need to be made on the
sql server in order for that user to function properly
within sql?
thanks.Hi,
Yes, But default the BUILDIN\Administrators will be having 'sysadmin' SQL
Serevr server role.
Obviously you can use this accout to access sql server.
Since this user is powerful it is not safe to provide this Login id to
Developers. So is always advisable to create a group specifically meant for
developers with less privileges.
Thanks
Hari
MCDBA
"JRD" <anonymous@.discussions.microsoft.com> wrote in message
news:98ca01c3ea6f$05b73cb0$a601280a@.phx.gbl...
quote:
> Quick question...
> Are members of the servers local admins group by default
> members of the sysadmins role'
> If so, does a login account still need to be made on the
> sql server in order for that user to function properly
> within sql?
> thanks.
Local Admin group necessary for DBA's?
Assume that the DBA's windows login is in the sysadmin fixed server role, if
a DBA uses Windows Authentication to manage a SQL Server Enteriprise
(6.5,7.0,200), are there any problems with removing the DBA's account from
the local administrators group of each SQL Server?
Any supporting documentation or articles for removing the DBA from the admin
Group?
Any expected annoyances for the DBA?Hi,
You can't restrict the OS administrators fully, because they have full
rights on all folders and registry keys inwhich SQL server resides.
But, you can restrict them to an extend by removing "System Admin" role
from BUILTIN/ADMINISTRATORS account.
" I had problems in the below when I removed "Syadmin role" from
BuildIN/Administrators. So I have given back the sysadmin role to solve the
issue.
1. FULL Text Indexing
2. Maintenance Plans
So do a test in test server for couple of weeks and then implement in
Production server.
Known issues after removal , Some things to be aware of:
Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
Did i answer ur question?
Thanks
Hari
SQL Server MVP
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?|||No, the question I'm really trying to answer is regarding removing the DBA's
windows account from the Local Administrators Group on the the server.
"Hari Prasad" wrote:
> Hi,
> You can't restrict the OS administrators fully, because they have full
> rights on all folders and registry keys inwhich SQL server resides.
> But, you can restrict them to an extend by removing "System Admin" role
> from BUILTIN/ADMINISTRATORS account.
>
> " I had problems in the below when I removed "Syadmin role" from
> BuildIN/Administrators. So I have given back the sysadmin role to solve t
he
> issue.
> 1. FULL Text Indexing
> 2. Maintenance Plans
> So do a test in test server for couple of weeks and then implement in
> Production server.
> Known issues after removal , Some things to be aware of:
> Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
> Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
> Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
> Did i answer ur question?
> --
> Thanks
> Hari
> SQL Server MVP
> "Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
> news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
>
>|||We have this situation on some servers and it works to varying degree's.
There are "annoyances" - you have to work closely with the Windows admins to
define the required shares so that the DBA's can manage database
files,backups,logs etc. Management of a server "by committee" is tricky so
make sure you have the processes in place for the windows + sql admins to be
able to do their jobs. And remember that if the SQL Server Service account
is a member of the local admins group on the server so are the DBA's (via
xp_cmdshell) regardless of whether they are in the local admins group or not
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?
a DBA uses Windows Authentication to manage a SQL Server Enteriprise
(6.5,7.0,200), are there any problems with removing the DBA's account from
the local administrators group of each SQL Server?
Any supporting documentation or articles for removing the DBA from the admin
Group?
Any expected annoyances for the DBA?Hi,
You can't restrict the OS administrators fully, because they have full
rights on all folders and registry keys inwhich SQL server resides.
But, you can restrict them to an extend by removing "System Admin" role
from BUILTIN/ADMINISTRATORS account.
" I had problems in the below when I removed "Syadmin role" from
BuildIN/Administrators. So I have given back the sysadmin role to solve the
issue.
1. FULL Text Indexing
2. Maintenance Plans
So do a test in test server for couple of weeks and then implement in
Production server.
Known issues after removal , Some things to be aware of:
Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
Did i answer ur question?
Thanks
Hari
SQL Server MVP
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?|||No, the question I'm really trying to answer is regarding removing the DBA's
windows account from the Local Administrators Group on the the server.
"Hari Prasad" wrote:
> Hi,
> You can't restrict the OS administrators fully, because they have full
> rights on all folders and registry keys inwhich SQL server resides.
> But, you can restrict them to an extend by removing "System Admin" role
> from BUILTIN/ADMINISTRATORS account.
>
> " I had problems in the below when I removed "Syadmin role" from
> BuildIN/Administrators. So I have given back the sysadmin role to solve t
he
> issue.
> 1. FULL Text Indexing
> 2. Maintenance Plans
> So do a test in test server for couple of weeks and then implement in
> Production server.
> Known issues after removal , Some things to be aware of:
> Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
> Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
> Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
> Did i answer ur question?
> --
> Thanks
> Hari
> SQL Server MVP
> "Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
> news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
>
>|||We have this situation on some servers and it works to varying degree's.
There are "annoyances" - you have to work closely with the Windows admins to
define the required shares so that the DBA's can manage database
files,backups,logs etc. Management of a server "by committee" is tricky so
make sure you have the processes in place for the windows + sql admins to be
able to do their jobs. And remember that if the SQL Server Service account
is a member of the local admins group on the server so are the DBA's (via
xp_cmdshell) regardless of whether they are in the local admins group or not
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?
Subscribe to:
Posts (Atom)