Home Forums SQL Server 2008 Security (SS2K8) Replacing individual logins with AD Groups potential pitfalls? RE: Replacing individual logins with AD Groups potential pitfalls?

  • October 10, 2013 at 9:52 am

    #1657633

    hanrahan_tim (10/9/2013)

    Hello,

    ...

    My thought is to use an AD account like "authenticated users" and use this for logins so all company users get a login. I would then use specific AD groups I create to map to database roles for specific database related permissions. Is this a good practice? And if so, is "authenticated users" the right group to use to grant everyone a login to the server?

    I was also wondering if I will need to remove each login and user before I add the AD group? It would seem if I don't, and then add the AD group any given user would then have two logins? I have also noticed that specific users have a default database set in their login, once switched over to using an AD group for logins how can this be accomplished?

    Thanks in advance.

    Using Windows Groups instead of individual Logins is indeed a recommended practice

    Authenticated Users would work, if you really want ALL AD Users being able to Access SQL Server. That one I wouldn’t consider a “good practice”, but if you really want to do that without exceptions, that’s the way. Otherwise you are better off creating an extra Win Group with ~90% of all Logins inside.

    You do not have to remove the Logins before adding the group, but in the long I would advise doing so. Until then all those have 2 different access paths.

    For ONE Group-Login you of course can only have ONE “default database” set.

    Another reason to use multiple groups..

    Andreas

    ---------------------------------------------------
    MVP SQL Server
    Microsoft Certified Master SQL Server 2008
    Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.insidesql.org/blogs/andreaswolter
    www.andreas-wolter.com