SQL Server and Active Directory Groups
- Posted in:
- Database Administration
- Security
- SQL Server
- Windows
Windows Authentication to SQL Server for multiple people needing the same level of authorization is generally accomplished one of two ways:
Authorization
With either option, you can mandate what level of authorization is allowed. You remain in control of things such as:
Authentication
Here's where there is a trade-off. If you work in an environment where someone else wears the hat for AD management, you don't control AD group membership. That means with Option 1, you lose control over who can authenticate (login) to SQL. This can be particularly worrisome when elevated permissions are involved. Option 1 *does* have the benefit of convenience. Anyone that needs "access" can be added to the AD Group. When someone no longer needs access (change in job duties, termination of employment, etc.), simply remove him/her from the AD Group.
Option 2 is...not convenient. You have to create and maintain multiple logins, and on multiple SQL instances. There's more work to be done, but you have complete control over authentication.
Both options are workable, so let's avoid the temptation of saying either option is right or wrong. Rather, make an informed decision and know the pros and cons of each approach.
Comments