Paula,
By NT Group, I assume that you mean a Windows Domain Group. E.g.
GROUP: Domain\SpecialUsers
USERS: Domain\Fred
Domain\Sally
You would like to allow Domain\SpecialUsers through the linked server
without specifying Fred and Sally separately. However, mappings of rights
always need to be for singleton users. For example, SQL Agent jobs are
owned by Users not Groups, you can EXECUTE AS a User, not a Group, etc.
Assuming that Kerberos authentication is working on your domain and between
the servers, you could do the following. Rather than specifying anything in
the mappings of logins, why not simply choose the radio button: "Be made
using the login's current security context".
On the server being linked to, grant Domain\SpecialUsers the appropriate
rights in the remote server's database or databases. Then the user's
credentials pass forward through the link and only the group needs to be
defined.
This does mean that "anyone" could use the link, but they only get the
rights you have granted to them. If they have no rights granted, they
should get nothing that is not very public.
RLF
"pnorth" wrote in message
> Why can't I used an NT Group as a local login on the security tab of the
> linked server? Because I cannot, I have to add each NT login to the
> server
> so that they will appear in the local login drop box and then add each
> manually (as I am mapping them to a remote login). Then I must ensure
> that
> no one in the dba group updates security on the individual nt logins
> rather
> than the nt groups. Some of the groups have hundreds of users.
>
> Doesn't this defeat the purpose of being able to use the NT group to ease
> maintenance? Is there another way to do this that I am missing?
>
> Paula
FAQ
Search
Profile
Private Messages
Log in
