Accessing the Windows ACL from Transact-SQL

Hot Topic

YAIP (Yet Another Install Problem)
Deploying Report Model Error
SQL 2005 scripting stored procedures
Connection to Analysis services from VB - very slow
ReportService2005 and ReportExecution2005
how to pass XML file path as input string to a Stored Procedure
Foreach loop with parallel execution
I can not enter non english text in SQL express...
SqlCeRemoteDataAccess Pull issue with ConnectionString
How to show KPIS on a webpage?=

SQL Server

HELP! Problem in my code
Copy table from ODBC to SQL database
Exclusive Join
Update Trigger... best solution
steps and design considerations for building a data warehouse
Combine SUMs
Getting intermittent error with SQLDMO objects
Report Viewer/Explorer-WebPart missing under SharePoint v3+SQL Server 2005
Export wizard trouble exporting columns names to ragged file.
TSQL UNION, but get the differance in dollar amount in the result

Accessing the Windows ACL from Transact-SQL

Hi everybody,

I have a dilemna with a project I am developing.

I am deploying the project to a Windows Small Business Server 2003 network, so as part of the security I have created a number of database roles (manager, secretary, bookkeeper, facilitator) and linked a Windows Group (DOMAIN\Facilitators, DOMAIN\Secretaries, etc.) to each of these roles. I have found that this model is by far the easiest way to administer access to my application.

My problem lies now in the fact that I need to assign a "referral" (a row in a table) to a facilitator. I have tried creating a staff table, with a boolean facilitator field and a UserName field that refers to the SYSTEM_USER function, but this means additional administration and I'm not satisfied that this is the best solution.

Is there a way to, using Transact-SQL, access a list of Windows Users from a specific Windows Group ie. accessing domain ACLs As I'm using SQL Server 2005, I do have the option of creating a CLR assemby to access this functionality, and I'm satisfied that I can assign the appropriate permissions for this information to be accessible, but if the information is directly accessible in tsql I would dearly love to know about it.

Thanks for your time guys.
Nathan Brittain
Utamic Software Pty Ltd

Answer this question

Accessing the Windows ACL from Transact-SQL

  • Layne Wiwatowski

    No, there is really no easy way to do this. You can use xp_logininfo with the Windows group name and members as second parameter to get the next level information for the Windows group. But this is about what you can do. To recurse through all the groups and users you will have to write your own code. For your problem, this particular SP will help. Note that the permissions required to run this SP has been changed in SQL Server 2005 for security reasons (only sysadmin).

  • ArnoldA

    You can query Active directory by setting it up as a linked server. i.e.

    Exec sp_addlinkedserver 'ADSI' , 'Active Directory servcies 2.5' , 'ADSDSOObject' , 'adsdatasource'

    Then to query

    Select * from openquery

    (ADSI , 'Select givenName , sn , userPrincipleName From "LDAP://OU = Development , DC = admin , DC = contoso , DC = msft"')

  • drachx

    Thanks for that! I'll have to try this.

    After considering the problem further, I guess I should clarify. Is there a way to find a list of Windows User accounts that are directly or indirectly (through Windows Group membership) assigned to a database role

    Again, the work could be put in to clr programming or using a linked server, but if there is a sys.* view available that can provide me this information directly it would be much easier.

    I'll be looking into this further myself anyway and posting an answer if I can find one, but if anyone has suggestions... well, thanks!

  • vintang

    I have a small question regarding the same. I am not able to get the
    members of the domain group inside another domain group. As per your
    suggestion, I have tried to retrive recursively. But I am able to get the
    members, if I register the domain group in SQL Server. FYI, I neither
    have the Active directory server name nor the access.


    Could you please advise how we can get the members of domain group
    without registering in SQL Server TIA...

  • Susan Bradley

    Hello,

    I read about the limitations on running the Xp_logininfo in SQL 2005 (just as you say). In fact, from: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/tsqlref9/html/ee7162b5-e11f-4a0e-a09c-1878814dbbbd.htm

    I read

    Note:

    In earlier versions of Microsoft SQL Server, permission to execute xp_logininfo can be granted to users. In SQL Server 2005, xp_logininfo can be run only by an administrator.

    Nevertheless, I made a test and succeeded to grant the rights to a user which is not a sysadmin, have you any idea on the reason Is it a bug which will be fixed in the next SP or is there an error in the documentation

    Thank you very much.

    Vania



  • Accessing the Windows ACL from Transact-SQL
Answer this question