Microsoft KB Archive/199466

= SMS: How to Set Up SQL Server Integrated Security For Use With SMS =

Article ID: 199466

Article Last Modified on 6/14/2005

-

APPLIES TO


 * Microsoft Systems Management Server 1.2 Standard Edition

-



This article was previously published under Q199466



SUMMARY
When Systems Management Server is used on a large scale administrators often find it necessary to give other people permission to use the Systems Management Server Administrator utility. In response to this need and since granting full permissions to all the features of the Systems Management Server Administrator is rarely desired, it is necessary to create a seperate set of SQL Server login IDs. These IDs have different permissions matching the needs of unique and specific tasks. Furthermore, using SQL Server integrated security can help reduce the amount of administration required because the users only have to remember one password; that of their Windows NT account.



MORE INFORMATION
When using the Systems Management Server Administrator tool, the user will only have access to those features granted to their matching SQL Server login ID or the SQL Server login ID that the user is aliased to. The procedure described below incorporates the use of SQL Server integrated security so that users will only have to log on to their workstation once.

These instructions also incorporate aliasing certain SQL Server logins to a "unique" SQL Server login ID that does not match a specific user account. This makes managing the permissions on the SQL Server login IDs easier since the Systems Management Server Security Manager only allows permissions to be modified on individual SQL Server login IDs. For example, if you have 20 SQL Server logins; that is, user accounts, that need to be given access to perform Remote Control in Systems Management Server, they can be given permissions much easier. Modifying each account's rights individually can take a long time. But, if those 20 SQL Server logins are aliased to one SQL Server login ID called "HelpDesk", it becomes a simple task to modify permissions on the single HelpDesk login ID.

NOTE: If you are managing a small number of SQL Server logins, it may not be necessary to use aliases. If this is the case, simply skip the references below where SQL Server login IDs are aliased to other SQL Server logins. For Step 5, simply assign permissions to the users' SQL Server login IDs.

Initial Setup
 In the Windows NT User Manager, create the Windows NT user group(s) and assign user accounts to the group(s). Use SQL Security Manager to create SQL Server login IDs for users in the Windows NT groups you just created. To do this, perform the following steps:

 In SQL Security Manager, on the View menu, click User Privilege. On the Security menu, click Grant New. Select the correct Windows NT group and make certain the Add Login IDs For Group Members and Add Users to Database options are selected. Also ensure that the SMS database is selected from the drop-down menu. Click Grant.</ol> </li> Using the SQL Enterprise Manager utility, create unique SQL Server login IDs for the types (or levels) of access that your users will need when using the Systems Management Server Administrator utility. These are the SQL Server login accounts that you will assign the different permissions to using the Systems Management Server Security Manager utility. These unique SQL Server login IDs serve the purpose of custom templates or user groups. Again, if you need to change permissions, it is a simple process to modify the SQL Server login ID that the users are aliased to as opposed to changing permissions on each individual SQL Server login ID. Some examples include "HelpDesk", "SoftDist" (software distribution), or "SMSAdmins". To create a login ID, perform the following steps:

<ol style="list-style-type: lower-alpha;"> Click SQL Enterprise Manager.</li> On the Manage menu, click Logins.</li> Type the login name that corresponds to the type of functions that this login ID will have permissions for.</li> Type a password.</li> Select Permit column for the Systems Management Server database.</li> Click Add.</li></ol> </li> While still operating in the SQL Enterprise Manager, alias the SQL Server login IDs (that match the Windows NT user logon accounts) created by SQL Security Manager to the unique logins that were manually created in Step 3. To do this, perform the following steps:

<ol style="list-style-type: lower-alpha;"> On the Manage menu, click Logins.</li> Select the new SQL Server login ID from the drop-down list of available accounts.</li> Click Alias (for the Systems Management Server database) and select the appropriate unique SQL Server login ID that was created in Step 3 of the Initial Setup (for example, "HelpDesk", "SoftDist", and so on).</li> Click Add.</li></ol> </li> Use the Systems Management Server Security Manager to grant access to specific areas of Systems Management Server to the unique SQL Server logins that were created in Step 3. Because the users of SQL Server login IDs are aliased to a few unique ones, it is not necessary to modify the permissions on the users' SQL Server logins. To do this, perform the following steps:

NOTE: Do not modify the permissions on "dbo" (database owner). This login should always have full permissions to all security objects.

<ol style="list-style-type: lower-alpha;"> In Systems Management Server Security Manager, select SQL Server login ID from the drop-down list.</li> Select the appropriate security objects and select the type of access desired for those objects; that is, full, view, or no access. You can use the default security templates by clicking Use Template on the Security menu.</li> After setting the permissions you want, click Save on the toolbar or click Save User on the Security menu to make the changes take effect.</li></ol> </li> <li>To implement SQL Server integrated security, perform the following steps:

<ol style="list-style-type: lower-alpha;"> <li>From SQL Enterprise Manager, right-click the SQL Server name that appears in the Server Manager window and click Configure on the shortcut menu.</li> <li>Click Security Options.</li> <li>Select Windows NT Integrated as the Login Security Mode, and then click OK.</li></ol>

NOTE: When SQL Server integrated security is enabled, all members of the Administrators built-in Windows NT user group will have System Administrator (SA) privilege to the SQL Server. To avoid this, you must create a separate Windows NT user group (for example, a group named "SQLAdmins") that contains those user accounts that need SA privilege to SQL Server. The Systems Management Server Service Account should be in this new group. After the group is created, use SQL Security Manager (with the SA privilege view) to grant SA privilege to the new group and then revoke SA privilege from the Administrators group.</li> <li>Stop and restart the MSSQLServer service, to do this, use SQL Enterprise Manager, SQL Service Manager, or Control Panel Services.</li> <li>After these steps have been accomplished, the system should be tested. To test, perform the following steps:

<ol style="list-style-type: lower-alpha;"> <li>Using a Windows NT user account that was created in Step 1 of this procedure, log on to a computer running Windows NT Workstation.</li> <li>Run the Systems Management Server Administrator utility and type the SQL Server name and database information. Because SQL Server integrated security is being used, it is not necessary to type any SQL Server login ID or password. In fact, doing so will have no effect.</li> <li>Click OK.</li></ol> </li></ol>

The Systems Management Server Administrator now only allows those features that have been enabled to function. If some functionality is not working correctly, it can be the result of a dependency on another security object not being enabled. If in doubt, examine the list of dependencies in Chapter 6: "Configuring Security for the Systems Management Server Administrator" in the Installation And Configuration guide in the Systems Management Server Books Online.

Adding a User After the Initial Setup
To add another user after completing the steps above, perform the following steps:

<ol> <li>In Windows NT User Manager, add the Windows NT user account to the appropriate group.</li> <li> Use SQL Security Manager or SQL Enterprise Manager to create the new SQL Server login ID. Choose either to use SQL Security Manager or SQL Enterprise Manager. NOTE: The SQL Enterprise Manager method is quicker when only adding a few (one or two) SQL Server login IDs. The SQL Security Manager method is easier if you want to add several new logins at once.

SQL ENTERPRISE MANAGER METHOD
<ol style="list-style-type: lower-alpha;"> <li>Open SQL Enterprise Manager.</li> <li>On the Manage menu, click Logins.</li> <li>Type the login name that matches the user's Windows NT account.</li> <li>Type a password and note that it does NOT need to match the password for the corresponding Windows NT account.</li> <li>Click in the Permit column for the Systems Management Server database.</li> <li>Click Alias (for the Systems Management Server database) and select the appropriate unique SQL Server login ID that was created in Step 3 of the "Initial Setup" procedure in this article.</li> <li>Click Add.</li></ol>

SQL SECURITY MANAGER METHOD
<ol style="list-style-type: lower-alpha;"> <li>In the User Privilege view of SQL Security Manager, select the group that contains the new Windows NT user account.</li> <li>On the Security menu, click Account Detail.</li> <li>From the Account Detail window, click Update Logins. This will create a matching SQL Server login ID for the new Windows NT user account. NOTE: For each Windows NT account that already has an SQL Server login ID, an error saying that the account already exists will be generated. You can ignore these error messages.</li> <li>Open SQL Enterprise Manager and click Logins on the Manage menu.</li> <li>Select the new SQL Server login ID from the drop-down list of available accounts.</li> <li>Click Alias (for the Systems Management Server database) and select the appropriate unique SQL Server login ID that was created in Step 3 of the "Initial Setup" procedure in this article; that is, HelpDesk, SoftDist, and so on.</li> <li>Click Add.</li></ol> </li></ol>

Delete a User
To remove a user, perform the following steps:

<ol> <li>Using SQL Enterprise Manager, delete the SQL Server login ID that matches the Windows NT user account. To do this, perform the following steps:

<ol style="list-style-type: lower-alpha;"> <li>In SQL Enterprise Manager, click Logins on the Manage menu.</li> <li>Select the login name that matches the user's Windows NT account from the drop-down list.</li> <li>To temporarily disable this user's access, click to clear the Permit column for the Systems Management Server database and then click Modify. To permanently delete the SQL Server login ID, click Drop.</li></ol>

NOTE: If necessary, use Windows NT User Manager utility to remove the user's account from the Windows NT user group and/or delete the account entirely.</li></ol>

Possible Problems
The following are things to be aware of:
 * If a user's SQL Server login ID is deleted and then re-created, the Systems Management Server Security Manager may show that the user's SQL Server login ID still has certain permissions allowed to the Systems Management Server database when in fact those permissions are not valid. If this occurs, revoke the existing permissions and grant them again, using the Systems Management Server Security Manager. If aliases are being used, re-establish the alias for the re-created account (see Step 4 in the "Initial Setup" procedure).
 * When running the Systems Management Server Administrator with a reduced set of permissions, certain menu buttons will be removed from the toolbar. When the Systems Management Server Administrator console is run again with full permissions, the buttons will not be automatically restored. To restore these buttons, perform the following steps:
 * On the Options menu in the Systems Management Server Administrator, click Customize Toolbar.
 * Click Reset and then click OK.

<div class="references_section">