>Microsoft's SQL best practices dictate that SQL logins should not be used in >favour of native Windows Authentication using an operating system account, >but we recognize that often consumers of SQL Server do not often want to do >this. (With a Windows account people have access to other operating system >services as well as SQL Server, but with just an SQL login they should only >be able to access the SQL Services. The latter is the 'more safe' option in >the author's opinion)
One way I have worked around the problem of those accounts having access to other items on the server/OS/domain is when running a Windows 2000 AD domain, I do the following: All users are created at the domain level. Global groups are created for each specific need, such as SQL_Login_User. The specific users are members of that group. I set that group as the primary group for the user. I can then remove that user from the "Domain Users" group. That way, the only thing that that user would have access to would be where Everyone or Authenticated Users have permission, which if we take permissions on our servers correctly, that will be restricted. Just a thought. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com
