10

I have a Windows Server 2012 R2 domain controller and a database server (W2K12R2/SQL Server 2012).

As allowed usergroup I have given the group "domain-admins" sysadmin rights.

But somehow any domain-administrator can't connect to that SQL Server, but when I add the domain-administrator user directly as allowed user it does work. The active directory does work. RDP-Login works. Am I missing something?

Does anybody know how to grant access to the whole group "domain-admins"?

The error message is:

Servername: SRV-DB
Error Number: 18456
Schweregrad: 14
Status: 1
Line of Code: 65536

In the event log it says (translated):

Error checking the token based server access with infrastructure failure.

State is "1" . I log on to that db-server with RDP as an domain-admin. I have to explicitly start SSMS with "run as administrator". Then I can access the "localhost". If I leave out starting SSMS as admin then I can't do that. I thought being in the group "domain-admins" would be enough.

Paul White
  • 67,511
  • 25
  • 368
  • 572
Erik Mandke
  • 361
  • 2
  • 4
  • 10
  • 1
    And the state number? 11? See http://sqlblog.com/blogs/aaron_bertrand/archive/2011/01/14/sql-server-v-next-denali-additional-states-for-error-18456.aspx – Aaron Bertrand Nov 24 '14 at 17:38

2 Answers2

16

I found the answer to my problem in this answer by Remus Rusanu.

As an domain-admin connected to that SQL-Server-Host via Remote Desktop. I had to start SQL Server Management Studio explicitly "as an administrator". (right-click -> run as administrator).

If SSMS isn't started in administrator mode, the current login is not in "builtin\administrators"-group. That was the problem.

It comes from Windows user access control (UAC). So that is actually a security "feature".

Community
  • 1
Erik Mandke
  • 361
  • 2
  • 4
  • 10
  • 1
    Ok, so it was exactly what state 11 suggests [in the link I posted earlier](http://sqlblog.com/blogs/aaron_bertrand/archive/2011/01/14/sql-server-v-next-denali-additional-states-for-error-18456.aspx). – Aaron Bertrand Nov 24 '14 at 20:17
  • That's not a "feature", it's exactly how [UAC is supposed](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj574202(v=ws.11)) to work: `With UAC, applications and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system.` – vonPryz Jan 22 '18 at 14:08
-2

It's easy. If you are able to Logon with old credentials ( the Administrator of local computer ) you have to use it to access a Remote Desktop and use it to add the Domain Controller Administrator

regufo
  • 1