none
MDT Access Permissions (for Groups) RRS feed

  • Question

  • Hi Folks,

    If I access MDT Deployment workbench locally on the SQL DB server, i can access the deployment share and create a computer record.

    If I load the same deployment workbench with a domain admin account, and map the same share, i cannot view the record i just created.

    The domain admin account has access to the share (via a domain security group membership), both file and share permissions.

    I also created a Login on the SQL DB and added the same domain security group the admin account is a member of to the MDT database. no luck.

    What am I doing wrong? Can somebody give me a pointer?

    I would like for all domain users in that domain security group to access the MDT deployment share and add computer records.

    EDIT: I tried adding the user directly to the logins on database, and it works. But if I add the domain group it does not work, even though the user is a member of that group? why?

    thanks.



    • Edited by IUSR345369 Monday, January 13, 2014 7:22 AM
    Sunday, January 12, 2014 6:30 PM

Answers

  • Hi Rens,

    I found the problem in the end. 

    I accessed the SQL database and checked the sql server logs, found and entry with the following message:

    Login failed for user Username Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

    I then found the issue was related to UAC:

    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/c3e0713c-b4e6-400e-9ba2-448cd5bf3cb8/tokenbased-server-access-validation-failed-with-an-infrastructure-error?forum=sqlsecurity

    Right clicking and running as administrator resolved issue for me - records became visible.

    Thanks

    • Proposed as answer by Martin van Bellen Wednesday, January 15, 2014 11:03 AM
    • Marked as answer by IUSR345369 Wednesday, January 15, 2014 8:18 PM
    Monday, January 13, 2014 11:51 PM

All replies

  • Hi,

    It looks to me, you need to create a security login for your database, which you make your connection to the MDT database with.

    It appears to me, you now have created the database with the SQL account, used on your SQL server.

    Also, having a SQL user is something different then a Active Directory user or group.

    This would be my first suggestion, to create a login for this particular database, and allow the group the desired permissions to the database.

    Good luck!


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Monday, January 13, 2014 1:11 PM
  • Hello Rens,

    I added the Active Directory group as a security Login. I also gave db_datareader access to the MDT database.

    The AD user account is a member of that group

    But it still does not work.

    If I add the AD user account as a security login and grant access, it works.

    So not sure what is happening.

    To be clear, could you share with me the exact steps you mean, just to make sure i am not missing anything?

    Thanks.

    Monday, January 13, 2014 2:38 PM
  • Hi,

    Not really sure, since I haven't experienced it before, and my SQL knowledge is limited, but perhaps you can check or recreate the following:

    https://groups.google.com/forum/#!topic/microsoft.public.sqlserver.security/OUeA3Jq_woc

    http://dba.stackexchange.com/questions/35424/how-to-refresh-ad-security-group-on-sql-server-permissions

    Looks to me that you're doing fine, but perhaps I'm missing something. Normally I would also say check the permissions on the database.

    To troubleshoot, I would try to recreate a situation that you know is 100% going to work, and then try to reproduce the same with the variables in relation to your MDT DB connection.

    Sorry I can't be of anymore service than this.


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Monday, January 13, 2014 3:11 PM
  • Hi Rens,

    I found the problem in the end. 

    I accessed the SQL database and checked the sql server logs, found and entry with the following message:

    Login failed for user Username Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

    I then found the issue was related to UAC:

    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/c3e0713c-b4e6-400e-9ba2-448cd5bf3cb8/tokenbased-server-access-validation-failed-with-an-infrastructure-error?forum=sqlsecurity

    Right clicking and running as administrator resolved issue for me - records became visible.

    Thanks

    • Proposed as answer by Martin van Bellen Wednesday, January 15, 2014 11:03 AM
    • Marked as answer by IUSR345369 Wednesday, January 15, 2014 8:18 PM
    Monday, January 13, 2014 11:51 PM
  • Hi,

    Glad you found it, so UAC was the trouble maker, couldn't imagine it was the SQL DB.

    Anyways glad you found it.


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, January 14, 2014 8:06 AM