Sql – what permissions does a user require to query AD from SQL Server

active-directorysql

Have created a linked server to active directory from SQL Server but getting a permission denied error when I try to query anything.

Under the security options for the linked server I have specified the connection to use a domain account which can query AD from powershell.

Should this account have any special permissions?

EDIT:

This is the error message I'm receiving from SQL

The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported
an error. The provider indicates that the user did not have the
permission to perform the operation.

Best Answer

As you discovered using Powershell, unless changed, normal, authenticated, non-admin user accounts have the right to search & Read AD. No reason to believe this would be different from a SQL server. Sounds like there is a config issue with the SQL or script.

Related Solutions

How to Add the Current Admin User to SQL Server Express 2008

It is possible that your Windows admin account doesn't have admin rights - it depends what you set up. You'll need to login with an account that does have rights, or, log in as the sa user.

If you don't have SQL authentication enabled you can activate it with a registry tweak. I think this is the right key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<<instance name>>\MSSQLServer\Loginmode

It should be set to mixed mode (2) but of course you still need to know what the sa password was when you installed the instance.

Why Removing ‘EVERYONE’ Group Blocks Domain Admins from Drive Access

I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.

For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.

Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.

You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.

I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...

Best Answer

Related Solutions

How to Add the Current Admin User to SQL Server Express 2008

Why Removing ‘EVERYONE’ Group Blocks Domain Admins from Drive Access

Related Topic