February 19, 2018 at 2:52 am
Interesting question, thanks Steve
Have never used the guest account, or seen the need to use it.
____________________________________________
Space, the final frontier? not any more...
All limits henceforth are self-imposed.
“libera tute vulgaris ex”
February 20, 2018 at 6:10 am
Used to use this more in the past, but rarely use it now. Had to check something for someone recently, so decided this was good knowledge.
February 20, 2018 at 6:25 am
Steve Jones - SSC Editor - Tuesday, February 20, 2018 6:10 AMUsed to use this more in the past, but rarely use it now. Had to check something for someone recently, so decided this was good knowledge.
It is very interesting.
Any good knowledge is welcome...
the day we stop learning is the day we stop living
____________________________________________
Space, the final frontier? not any more...
All limits henceforth are self-imposed.
“libera tute vulgaris ex”
February 20, 2018 at 7:04 pm
One use for the guest account I've seen is for log shipped databases coming from an untrusted domain. In that situation, it's next to impossible to grant domain users in the local domain access to the database since the database can't be modified (that would break log shipping). One work around is to use a proxy database in conjunction with trust chaining. Do the initial restore of the log shipped database under a dedicated service account so that it will be owned by that account. Set the proxy database owner to the dedicated service account as well. Then turn on chaining for the two databases (which can be done on a restoring database). Then create views in the proxy database that reference objects in the log shipped database and grant access to those views to the domain users and groups in the local domain. For this to work, however, the guest account must be enabled in the log shipped database. It doesn't have to have any privileges beyond CONNECT (because the trust will take care of that), but the source database will have to enable it. See https://www.mssqltips.com/sqlservertip/1782/understanding-cross-database-ownership-chaining-in-sql-server/ for a writeup on the need for enabling the guest account.
February 20, 2018 at 9:42 pm
t.ovod-everett - Tuesday, February 20, 2018 7:04 PMOne use for the guest account I've seen is for log shipped databases coming from an untrusted domain. In that situation, it's next to impossible to grant domain users in the local domain access to the database since the database can't be modified (that would break log shipping). One work around is to use a proxy database in conjunction with trust chaining. Do the initial restore of the log shipped database under a dedicated service account so that it will be owned by that account. Set the proxy database owner to the dedicated service account as well. Then turn on chaining for the two databases (which can be done on a restoring database). Then create views in the proxy database that reference objects in the log shipped database and grant access to those views to the domain users and groups in the local domain. For this to work, however, the guest account must be enabled in the log shipped database. It doesn't have to have any privileges beyond CONNECT (because the trust will take care of that), but the source database will have to enable it. See https://www.mssqltips.com/sqlservertip/1782/understanding-cross-database-ownership-chaining-in-sql-server/ for a writeup on the need for enabling the guest account.
Thanks for the link - really interesting reading
____________________________________________
Space, the final frontier? not any more...
All limits henceforth are self-imposed.
“libera tute vulgaris ex”
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply