UAC Enforcement for ProgramData in Windows Server 2012 - uac

A file is created under C:\ProgramData\Example. This file is created with 'Full Control' permission for Administrators group. A domain user with Administrators privilege is able to overwrite file with new copy in Windows Server 2008 R2. When same is tried in Windows Server 2012, it is failing with Access denied. I disabled UAC by following procedure mentioned # https://social.technet.microsoft.com/wiki/contents/articles/13953.windows-server-2012-deactivating-uac.aspx.
After change, I am able to overwirte file with new copy in Windows Server 2012. Is there any change in UAC behavior with respect to C:\ProgramData folder and its content in Windows Server 2012?
Regards,
Madhan

It should be noted that, by default, regular Users are allowed to create/modify files in ProgramData on Windows Server 2012/2008 R2/2008:
I'd be curious to see the offending file's permissions, as well as the containing folder's permissions. Files, when moved, keep the permissions they were created with, and do not gain the permissions of their new folder location.
So it's not a "UAC" issue, but an NTFS permissions issue.

Related

Using AWS FSx file share for SQL Server Backup Directory

I'm trying to use an FSx file share as the Backup directory when installing SQL Server Express on my EC2 instance, but the SQL installer fails to use the UNC path to the FSx file share due to a SeSecurityPrivilege problem.
I can access the file share on FSx with full access from the EC2 instance using File Explorer, but do not know how to set the SeSecurityPrivilege as I don't think it is possible to access the File Server for the FSx share as proposed in the error message from the SQL installer below.
Any ideas would be appreciated?
The error is this:
"SQL Server setup account does not have the SeSecurityPrivilege privilege on the specified file server in the path . This privilege is needed in folder security setting action of SQL Server setup program. To grant this privilege, use the Local Security Policy console on this file server to add SQL Server setup account to "Manage auditing and security log" policy. This setting is available in the "User Rights Assignments" section under Local Policies in the Local Security Policy console."
The error indicates that the account used to install SQL server doesn't have the "SeSecurityPrivilege" permission on the FSX servers which is required to perform the installation.
By default, the FSx Delegated Administrators Group has this permission.
You need to add your user account to that group on your FSx Windows File System along with Full control on the share and full control on the ntfs.
The problem is that you connected to this machine with the windows/machine administrative. you should connect to this machine with the Active directory administrative user and follow the below document.
https://aws.amazon.com/blogs/storage/simplify-your-microsoft-sql-server-high-availability-deployments-using-amazon-fsx-for-windows-file-server/

SQL Server FileTable no access to Share

although I have set all the three checkboxes (Enable Filestream for TSQL, I/O and for remote access) in instance of SQL Server via MMC.exe to true I get the following error when trying to access the Share / FileTable... What could be wrong that prevents me from using the feature?
Thx
With a FileTable, SQL Server performs authorization checks based on the user's Windows account. The Windows account must have permissions to connect to the SQL instance and database along with permission on the FileTable, just like when the table is used directly in T-SQL. These permissions can be assigned directly or via Windows group membership.
USE YourFileTableDatabase;
CREATE LOGIN [YourDomain\WindowsUserOrGroup] FROM WINDOWS;
CREATE USER [YourDomain\WindowsUserOrGroup];
GRANT SELECT ON dbo.YourFileTable TO [YourDomain\WindowsUserOrGroup];
Your Windows Explorer screenshot looks to be missing both the database directory and FileTable directory in the path. Perhaps this is because of insufficient permissions. The full UNC path to a FileTable is in the form:
\\<servername>\<instance-filestream_share_name>\<database-filestream-directory>\<file-table-directory>

File sharing with a specific user in database in SQL Server

I have created a login in SQL Server. The login has only read-only permissions. Database role membership for this user are db_backupoperator, db_datareader, db_denydatawriter and public. I gave him permissions to make backups, but when I try to access folder directory of the system it shows an error like in the picture below.
How can I share a specific folder to this Login in order to save backups to this folder?
Here is the error:
The user logs in to the SQL Server instance via a SQL Server logon, and asks for a backup to be made.
The SQL Server process, running under whatever Windows Identity it
is (LOCAL SYSTEM on my dev machine) makes the backup.
The user who asked for the backup in step 1 uses Windows Explorer to
check the backup folder. Note that Windows Explorer is using his
Windows Identity (NOT his SQL Logon) to check whether or not he has
access to that folder
Windows Explorer decides that this Windows user does not have access and
displays the message you show above.
To change the outcome, you need to give the Windows Logon that the user is using access to the backup folder. To do this, log on as an Admin, right click on the folder in explorer and select the Security tab. Add the Windows Logon that the backup person uses and give read access to the folder.
Just to clear, the backups are likely being done properly (absent any other data), but his WINDOWS logon is not allowed to see them.

SQL Server Management Studio - Unable to attach to an MDF file in my user profile

I downloaded an ASP.NET MVC template onto my development machine a dropped it into the projects folder in my user profile (C:\Users\jdana\projects\gld_ember_mvcspa). An .MDF and .LDF file came along for the ride with the template. They're located here:
C:\Users\jdana\projects\gld_ember_mvcspa\App_Data
For the life of me, I can't get SQL Server Management Studio to read from or attach to any .MDF file in my user profile (I'm running SQL Server 2014 Standard on a Windows 7 box)
Here's what I've tried thus far.
The following Access is denied when attaching a database looked like a dead-match to my issue. I've given my local login account explicit full permissions to the projects folder and all child folders (making sure to logout/login afterwards).
I gave my local login account ownership of the projects folder and all child folders (making sure to logout/login afterwards).
I checked login associated with the MSSSQLSERVER Windows service, it's NT Service\MSSQLSERVER. I gave this login full permissions to the project folder (making sure to logout/login afterwards).
Finally, I launched SQL Server Management Studio with a right-click Run As Administrator.
None of this worked. My user profile folder remains inaccessible to SQL Server Management Studio.
I was faced with the same error when i changed the password to my SQL server account. The way out was to check if the files in the location you try to attach from are encrypted. Decrypt them(Right click on the mdf/ ldf file -> Decrypt). Then try attaching. This worked for me. Thanks to the helpdesk guy in my office:)
Run Sql Server Management studio as Administrator, and login to sql server with sa or admin credential. If mdf file is uncorrupt, then it will work.

I used Windows Authentication on SQL Server and now I reinstalled new Windows, and cannot access my database(mdf files)

What should I do? I could disable UAC to access the database. Is there a way I could copy the my database but strip the account control informations attached to it? Many thanks.
Read this article for possible options. Excerpt: `After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication. You can use Transact-SQL commands such as "sp_addsrvrolemember" to add an existing login (or a newly created one) to the sysadmin server role.

Resources