I'm trying to add an SQL login for an Active Directory group.
I can see the group in AD (Operational Managers)...
...but the same group isn't visible within the SQL...
I'm not an IT admin, I just do SQL stuff and both of our IT guys are out of the office this week.
I'm just wondering if there's anything I can do to add the login group without having domain access to Active Directory (other than adding each group member individually)?
Two things:
Check the 'Group type' of the missing group. Only groups of type "Security" can be used for permissions. If the 'Group type' is "Distribution" it will not show up in the search since it cannot be used for assigning permissions.
If the server is joined to the same domain as the group then ignore this, but if the group and the server are on different domains, then check the 'Group scope'. The server won't be able to see a "Domain local" group on another domain.
Related
I don't now who and why delete user from group, in log i see information about User-Agent.
Azure Add without local AD,
SkypeSpaces/1.0a$*+
that all, where i can found more information
type:
Remove member from group
user:
"SkypeSpaces/1.0a$*+" and Display name "MS Teams Services"
I check log, i add again but nex day are this same, user remove from group
I Tried to reproduce the same in my environment to check the User deleted information from Group
I have created one Group and deleted user from Groups by using following Steps
Azure Portal > Groups >New Group
Deleted members from the same Group.
Open the Same group Azure Portal-Azure Active Directory>Groups (Manage)>Select the Group>Members>select the user>Remove
Once remove the user group
Azure Portal-Azure Active Directory>Groups (Manage)>Select the Group>Activity>Audit Logs
To check the detailed Log information, open the Log
I have a security group called SecurityGroupParent and another security group called SecurityGroupChild. I want to add SecurityGroupChild as a member to SecurityGroupParent. But I cannot see the option Group Memberships as explained here although I have the right role.
You'll need the Groups Administrator or User Administrator role to
edit group membership.
Also please check if you have logged into correct tenant or account in
which you have above roles before adding membership.
Also please note that there are some limits while using nesting of groups.
For example: We cannot add group which is synced with on-premises Active Directory.
See Limitations - groups - Azure Active Directory - Microsoft Entra | Microsoft Docs
You can also try to add child security group as a member to the parent security group from members blade:
If the groups are set to role assignable or IsAssignableToRole is
set to $True, then the groups are private and only members can view
the content of the group.
Also check , if HiddenMembership is enabled. reference: visibility
I am querying Active Directory from SQL Server via a Linked Server called LDAP.
The linked server was created thus, authenticating through a specially created service account myDomain\ServiceAccountWithNoPermissions.
exec master.dbo.sp_addlinkedserver #server = N'LDAP', #srvproduct=N'Active Directory Service Interfaces', #provider=N'ADSDSOObject', #datasrc=N'adsdatasource'
exec master.dbo.sp_addlinkedsrvlogin #rmtsrvname=N'LDAP',#useself=N'False',#locallogin=NULL,#rmtuser=N'myDomain\ServiceAccountWithNoPermissions',#rmtpassword='########'
And I'm querying the members of a specific Active Directory Group with the following:
select *
from OpenQuery (LDAP, '
select objectGUID, sAMAccountName
from ''LDAP://myServer.myDomain.com/DC=myDomain,DC=com''
where MemberOf=''CN=Some Group,OU=Folder,DC=myDomain,DC=com''
order by sAMAccountName asc
');
Here's my problem. The above system is working correctly for some Active Directory Groups and not others.
By default I think Authenticated Users is supposed to be able to query any User or Group objects in Active Directory. And as a test I verified that the effective permissions of myDomain\ServiceAccountWithNoPermissions includes "Read all properties" on Groups for which the members are both queryable and non-queryable.
What could be the difference between Groups that are queryable and non-queryable?
You didn't describe what you mean by it working incorrectly, so I can only guess. But the most obvious thing I can see is that you're querying the membership of a group by using memberOf. Depending on how your environment is setup, that may not give you all the results you hope for. I wrote about this, but here's the important part:
Groups only get added to memberOf if they have a Group Scope of:
Universal and are in the same AD forest as the user, or
Global and are on the same domain.
Groups do not get added to memberOf if they have a Group Scope of Global and are on another domain (even if in the same forest).
On top of that, memberOf will only include Domain Local groups from the same domain of the server you are retrieving results from. (if you are working in a multi-domain environment and reading from a Global Catalog, this may not be the same domain the user is from)
It will also not report the user’s primary group (usually Domain Users), if that’s important to you, nor will it include groups on external trusted domains.
The most reliable way to find all the members of a group is to read the member attribute of the group itself. But if the group is used as the primary group for any users, then you would also have to use a different way to find those.
I have a customer who has created SQL azure database and trying to give access to his on-premise Security group account in database. The challenge that we are facing is that the on-premise group is named as 'group account' i.e. there is a space between the words. This account is synched with Azure AD.
Two questions
1) How do you provide access to a security group on SQL Azure Database? I know that you will say to use syntax like below but that doesn't work in my case i) There is empty space between the words in name ii) this is not a mail enabled group therefore there is no corresponding #domain.com in Azure AD for this group
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
Firstly, you should login your Azure database with your AD admin account.
Then run this query(same with juunas provided) to add on-premise Security group to Azure SQL database.
CREATE USER [<Security Group Display Name>] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [<schema>];
As you said, there is a space in your 'group account' name, I tried to the same operation and it work ok with no error.
For example, I login my Azure SQL database with my AD admin, ran this query to create a group accout 'test gp'.
CREATE USER [test gp] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [dbo];
Running SELECT * FROM SYS.DATABASE_PRINCIPALS we could see that the group has been created in Azure SQL Database
I executed the TSQL: EXEC sp_addrolemember 'db_owner', 'test gp';
It seems everything is ok but when disconnect my SQL database and try to login with group account 'test gp#****.com'
There is an error happened:
You can also reference these blogs:
Unable to add Azure AD group with ':' in display name to Azure SQL, am I missing something?
Naming conventions in Active Directory for computers, domains,
sites, and OUs
I think Azure SQL database doesn't support using Security group name with special character to login the database, such as white space (blank).
Hope this helps.
I've used CREATE USER [Group Name] FROM EXTERNAL PROVIDER before and it has worked.
I need a LDAP query for windows server 2012 AD starting from the username of a user and getting all his collegues. In my AD collegues ad identified with the same PRIMARY group.
Is it possibile or should I need a two step query?
Thank you.
Unfortunately, LDAP filtering syntax does not allow for sub-queries within the expression.
You'd have to break this into two parts - first get the user's DirectoryEntry record, then use his PrimaryGroupID in a separate filter, something like :
(&(objectClass=user)(sAMAccountName=JSmith)
Now let's say JSmith is part of the default "Domain Users" group (513) :
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
This will return all users that share that same PrimaryGroupID.