I wrote about this for my GSEC practical. You can find it in the SANS Reading Room:

SQL Server 2000: Permissions on System Tables Granted to Logins...

D is correct and your reasoning is sound. Permissions in SQL Server are actually at the column level. Therefore, when the DENY is run blocking access to Salary and BonusPercentage,...

As with the other exam-ish question you posted... if you had to pick an answer (A or D), which one would you pick, and why? If you are confused between...

You mean this?

Baseball - Olympic Sport since 1992

Go, Yankees! Okay, I know I'm asking for it, but I've been a fan of the team ever since I saw Don Mattingly play for the first time.

Anyone with sysadmin rights can do this... meaning you if you are the user with such rights. You have to handle this through Enterprise Manager unless you want to go...

So as not to turn this into a braindump, let's take the following approach: you tell us what answer you would have chosen and why. The key point is to...

Please do not cross-post. See reply here:

http://www.sqlservercentral.com/forums/shwmessage.aspx?forumid=10&messageid=171721

Congrats, Jeremy! on being published!

Yup. Try removing and readding from the domain. Perhaps the computer account is corrupt (though you should see this in the DC event logs). Any case, make sure you know...

Sounds highly unusual. Same thing occur say if you try and add the user or group to the Users group for the local server (say through Computer Management, not in...

Yes, using 3 part naming conventions. This assumes the user has the ability to access the tables in the multiple databases.

For instance:

<database>.<owner>.<object name>

Like the following:

SELECT *

FROM Northwind.dbo.Orders

Or, if multiple tables...

Or... you can turn on URI-query on under extended properties for w3svc logging (IIS) and then parse the IIS logs. This may be more advantageous if you've got webstats software...

In all seriousness, this has been banted around a few times. Would be nice to see.

Is there anything different in AD between the groups you are able to add and the ones you aren't? Different OUs, different permissions on the object, etc.? Any audit failure...