Group Policy Credentials When Running Scripts - Connect to SQL DB

Posted on 2011-10-17
Last Modified: 2012-05-12

I'm building a VBScript that will be pushed out via Group Policy.  This script connects to a MS SQL Server and does some pretty great stuff.  As you can expect, our SQL Server is locked down pretty tight.

I need to add a logon to SQL Server for Group Policy to be able to connect and have "db_datareader".

When GP is processed, which account does it use on connecting to shares?  "NT AUTHORITY\Network Service" - I'd imagine, but I need to be sure.

Any tips you guys have on this would be greatly appreciated.
Question by:usslindstrom
    LVL 8

    Accepted Solution

    If you're applying the script as part of the computer startup, you need to grant access to the computer object on the sql server.

    If you're running the script at user logon, it runs under the user's own security context, so you users will need to be able to access the sql server.
    LVL 5

    Author Comment

    Thanks for the info so far.

    Can you please clarify your first statement?

    Currently, I have "Authenticated Users" as having the security "db_readdata" group.  It works for all users, but was under the impression it should cover PCs as well (since it does in Group Policy).

    Please go into detail on "grant access to the computer object" if you have a few minutes.

    LVL 5

    Author Comment

    Oh - and yes...  you were right.  It's a group policy object that calls a computer startup script.
    LVL 8

    Expert Comment

    Sorry, was mistaking windows rights with sql logon. I tried to specify a computer account in sql server but it isn't available. Can you run it under user-scripts instead of computer?
    LVL 5

    Author Comment

    For this particular script, unfortunately no.  It installs printers on computers during startup.

    I guess the next logical step would be to enable read access to everything in the sql DB, if it's possible.

    Would you know where to go to do that?  I tried "NT AUTHORITY\Everybody" but it was a no-go.
    LVL 5

    Author Closing Comment

    You were exactly right!  Thanks for the information.

    I added DOMAIN\Domain Computers to the security group logon at the Server level, and then again at the DB Level with the permissions I needed.

    Works like a champ now.  Much appreciated!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now