AD, Scripting & SQL

G

Guest

Hi,

Please forgive the cross-post, I think it's applicable in this case

2 questions. Using Win2K, SQL2K

1) Is it possible to programmatically "push" an update of the AD DB to my SQL servers? The reason I ask is that,

2) I create Global groups in AD using VBS. Those groups are immediately visible in AD, and I can issue a query from SQL against the AD system and "see" the new groups. But try to grant the new group a login on a SQL server, and I get a "No such group exists" error. I have to wait about 15 minutes before I am able to grant logins to these groups. How can I push these new groups out to the domain (SQL) servers so that logins can be granted immediately? There must be a VBS command..

Thanks

Paul
 
U

Ulf B. Simon-Weidner

=?Utf-8?B? said:
Hi,

Please forgive the cross-post, I think it's applicable in this case:

2 questions. Using Win2K, SQL2K.

1) Is it possible to programmatically "push" an update of the AD DB to my SQL servers? The reason I ask is that,

2) I create Global groups in AD using VBS. Those groups are immediately visible in AD, and I can issue a query from SQL against the AD system and "see" the new groups. But try to grant the new group a login on a SQL server, and I get a "No such group exists" error. I have to wait about 15 minutes before I am able to grant logins to these groups. How can I push these new groups out to the domain (SQL) servers so that logins can be granted immediately? There must be a VBS command...

Thanks,

Paul
Click to expand...
Hello Paul,

your Problem is propably the replication of AD. Your admin tools might run
against the same AD DC, but the SQL-Server which needs to verify the accounts
might run against a different AD DC.

Where I'd look in your case is that if you are able to add the SID to the
rights in your DB. Most Systems do not need the group name but the SID to
control access. If you provide them with the SID they don't need to verify
anything until the first user loggs on (which is usually after replication), if
you provide the name the server needs to resolve the SID from the name at the
time you set the right (which is not before replication and you'll need luck
that the server is running against the same AD DC).

What you could do, is either looking how to put the SID in, or trigger
replication, or wait until replication is finished (put the ACE into the
system, and read the ACE if it's updated - if not repeat).

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Adding Computer To AD 1
Server Local Groups to AD Domain Local Groups 1
AD 2000 and SQL 1
domain2local 1
Upgrade question from windows 2000 AD to 2003 AD 4
NT4.0 to AD 2003 Users and groups info 1
sid history??? 4
AD Query 1

Top