|
Posted by Roger Abell [MVP] on February 26, 2008, 4:50 am
Please log in for more thread options
> Hey
>
> We are using Sql Server 2005. Our database server is a win2k3 machine. We
> have Active Directory etc
>
> Now we want an external user to get access to one of our data systems. He
> needs ddl/read/write permissions on a specific database and also
> read/write permissions on some folders on the harddrive on the server.
>
> I think I can accommplish access to the database by assigning the user to
> these database roles: db_datareader, db_datawriter, db_ddladmin....
>
> The biggest problem is how to give this user access to the folders. If I
> create him in AD then he becomes member of Domain Users group which means
> that he has access to everything Domain Users has access to. I tryed to
> remove the Domain Users group from this user, but did get a message that I
> couldn't do it because this was the default group... If this user is
> member of Domain Users, then he has access to much in our network...
>
> (I have the impression that if I change what is the default group, then I
> have to apply this change to all users in AD)
>
> any suggestions?
No, that changing of the default group is a per-account change.
I sometimes use a DummyDomGlobal group to replace Domain Users.
If that account is suppose to be of use on a machine it will need to be
made a Users member on that machine (perhaps less, depending on
the use of the account). This dummy group is defined to have no use,
not in any ACL anywhere. Such a pattern helps in def of web service
accounts that need to span webservers and sql servers for example.
It is not a bullet-proof precaution, and it is less of a containment than
you appear to be thinking (i.e. there is still Authenticated Users).
If the use is one machine only, why domain account at all ? auth at
the VPN ? How often do they need to move files ? I mean, if this
is a vendor and a new database, why not leave them with temporary
Tcp 1433/1434 and sneaker-net / email for the occassional file stage?
Roger
| 
XML Sitemap