hanrahan_tim (10/12/2013)

---

Andreas.Wolter (10/10/2013)

---

hanrahan_tim (10/9/2013)

---

Hello,

...

Using Windows Groups instead of individual Logins is indeed a recommended practice

Authenticated Users would work, if you really want ALL AD Users being able to Access SQL Server. That one I wouldn’t consider a “good practice”, but if you really want to do that without exceptions, that’s the way. Otherwise you are better off creating an extra Win Group with ~90% of all Logins inside.

You do not have to remove the Logins before adding the group, but in the long I would advise doing so. Until then all those have 2 different access paths.

For ONE Group-Login you of course can only have ONE “default database” set.

Another reason to use multiple groups..

...

(1) I will then create a read only database role and also add authenticated users to that. I have created other AD groups that will allow users to perform more restricted tasks in these apps. Unless I'm missing something, when using this method as new employees start they will automatically get read access to our apps and I won't need to do any special "setup" on the SQL server side with respect to security.

(2) Is there any problem with the one group login method only having a single default database? To be honest I'm not really sure what the default database setting is for. If our apps have a connection string with the database name in it, does the default database provide any functionality I'm not aware of?

(3) I also like to have myself and the other sysadmin to have our own logins using our individual AD logins. As we would also belong to the "authenticated users" group will that present any problems?

...