[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 387
  • Last Modified:

Group Policy Credentials When Running Scripts - Connect to SQL DB

Experts,

I'm building a VBScript that will be pushed out via Group Policy.  This script connects to a MS SQL Server and does some pretty great stuff.  As you can expect, our SQL Server is locked down pretty tight.

I need to add a logon to SQL Server for Group Policy to be able to connect and have "db_datareader".

When GP is processed, which account does it use on connecting to shares?  "NT AUTHORITY\Network Service" - I'd imagine, but I need to be sure.

Any tips you guys have on this would be greatly appreciated.
0
usslindstrom
Asked:
usslindstrom
  • 4
  • 2
1 Solution
 
pvlierCommented:
If you're applying the script as part of the computer startup, you need to grant access to the computer object on the sql server.

If you're running the script at user logon, it runs under the user's own security context, so you users will need to be able to access the sql server.
0
 
usslindstromAuthor Commented:
Thanks for the info so far.

Can you please clarify your first statement?

Currently, I have "Authenticated Users" as having the security "db_readdata" group.  It works for all users, but was under the impression it should cover PCs as well (since it does in Group Policy).

Please go into detail on "grant access to the computer object" if you have a few minutes.

Thanks.
0
 
usslindstromAuthor Commented:
Oh - and yes...  you were right.  It's a group policy object that calls a computer startup script.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pvlierCommented:
Sorry, was mistaking windows rights with sql logon. I tried to specify a computer account in sql server but it isn't available. Can you run it under user-scripts instead of computer?
0
 
usslindstromAuthor Commented:
For this particular script, unfortunately no.  It installs printers on computers during startup.

I guess the next logical step would be to enable read access to everything in the sql DB, if it's possible.

Would you know where to go to do that?  I tried "NT AUTHORITY\Everybody" but it was a no-go.
0
 
usslindstromAuthor Commented:
You were exactly right!  Thanks for the information.

I added DOMAIN\Domain Computers to the security group logon at the Server level, and then again at the DB Level with the permissions I needed.

Works like a champ now.  Much appreciated!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now