Group NT permission problems

Adam.BeanAdam.Bean Posts: 28
edited November 6, 2007 8:51AM in SQL Backup Previous Versions
Error 880: BACKUP DATABASE permission denied in database: (admin)
SQL error 15404: Could not obtain information about Windows NT group/user 'domain\beana', error code 0x5.


When using SSMS or SQLBU gui, I receive this error when attempting to backup databases that reside on a SQL server in our QA domain. Our domain is fully trusted to the QA domain, but the QA domain can not talk back to us.

The SQL Backup Agent is running under the same account which is running SQL Server in these domains (which are domain admins).

We connect as part of NT groups from our domain. We use AD to manage several layers of groups with different access. I am connected through BUILTIN\Administrators as I have box administration rights. I've also tried through a SQLAdmin group. Both return the same error. When I give myself direct permissions domain\beana on the instance, it works without problem. So it looks to be a problem with NT groups.

Thoughts?

Thanks

Comments

  • When you are attempting to perform the backup via SSMS or the SQL Backup GUI, two permissions checks are made:

    1) Does the SQL Backup Agent have sufficient permissions to perform the backup (otherwise it will be unable to execute)
    2) Does the caller have sufficient permissions to issue a BACKUP statement on that database (otherwise it will introduce security vulnerabilities)

    In this case it appears that your account may not have sufficient permissions to perform the backup, which appears to be confirmed further when you add your account to the SQL Server instance.

    To resolve this, you need to make sure that the user running the command has the explicit permissions to perform the backup. If you would not expect to be able to perform a native SQL Server Backup, then the same rules apply for SQL Backup.

    Hope that helps,
    Jason
  • Jason Cook wrote:
    1) Does the SQL Backup Agent have sufficient permissions to perform the backup (otherwise it will be unable to execute)
    - Yes, it is running under a domain admin account
    Jason Cook wrote:
    2) Does the caller have sufficient permissions to issue a BACKUP statement on that database (otherwise it will introduce security vulnerabilities)
    - Yes, I have box and sql admin against the target server.

    As stated, If I make myself a login as NT ... domain\BEANA and make myself a sysadmin, it works. If I am part of BuiltinAdmins or another NT group managed by AD, it does not work.

    The problem seems to be purely with using NT groups.
  • RedGate advised me to add permissions on some registry folders ... this is what I sent them:


    On x64 servers, Software\Red Gate\SQL Backup does not exist.
    The path is, Software\Wow6432Node\Red Gate\SQL Backup.
    Also, SOFTWARE\Red Gate\SQL Backup\InstalledInstances does not exist under that path nor Wow6432Node.

    Anyways, I gave read permissions to the following per your instructions:

    HKLM\Software\Microsoft\MSSQLServer\Setup
    HKLM\Software\Microsoft\Microsoft SQL Server HKLM\Software\Wow6432Node\Microsoft\Microsoft SQL Server HKLM\Software\Wow6432Node\Red Gate\SQL Backup

    And it is still failing.

    Please advise...

    Thank you


    Any thoughts?
Sign In or Register to comment.