May 4, 2007 at 1:19 pm
Folks,
Has anyone figured out a good way for synchronizing a SQL Credential’s password with the actual domain account password? The domain accounts we are creating for Credentials are created with expiring passwords and are on a fairly short basis. It is rather a laborious process of updating the password for the domain account and then to update the SQL Credential. Does anyone have any suggestions?
Thanks!
May 7, 2007 at 6:05 am
Aside from using SQL authentication, you may not have any great options.
You could write an application for the users to change their passowrd (rather than the regular windows dialogs) that would update both AD and your SQL logins in one step, but you cannot ask AD for a password.
May 7, 2007 at 8:30 am
Michael,
Thank you for your reply. Actually, this is a little different than Windows logins. We are using AD accounts to create SQL Credentials to create SQL Proxies for running job steps. When you create the SQL Credential, you have to specify the AD account password. And when the job step runs, SQL logs the AD account on and the job step runs under the context of the AD account. So, we must change the AD account password every X days for security purposes. I think the only real good way of doing this is to write a little app that generates a strong password, updates AD with the password, and then runs the ALTER Credential to set the new password.
Thanks
Lee
October 24, 2007 at 10:48 am
Lee,
Have you found a solution for this problem yet. I have been working on the exact same issue for quite some time now. I have a handful of developers, I have tried everything!!
Here's my issue... (additional bridge to cross). I do not have the aurthority to change their AD passwords. Each person in the company is set that when they log in and it's time for their pw to expire, they are prompted and at that point can change.
I don't want to ask each developer for their PW (goes against all security issues) and I don't want to have to track each one and remember who's pw expires when, and then alter each credential and hope that I haven't missed one etc.
My brain is hurting from this issue... any help is very very much appreciated.
Thanx,
Teri :crying:
October 24, 2007 at 11:08 am
Teri,
I'm sorry, but short of creating an app to do this, I don't think there is a good solution. And this app would have to be executed by a person that had rights to update the AD account as well as the credential. Right now, our network admins and our DBAs have to coordinate with each other when one of our credentails' password changes.
October 24, 2007 at 1:52 pm
Lee,
I was afraid of that, BUT thanx for the quick reply. I have been working on this for some time now. I had no problems with giving my developers the necessary rights to create SSIS packages, and then move them up. However it is SQLAgent (scheduling /executing) that is causing me much grief.
Also because of the shear size of my company, there isn't "anybody" in NT Admin that I can coordinate with. Looks like I may have to add on another responsibility :w00t: (Fortunately I only have a handful of developers in my department)
But thanx anyway. I will post something if I find some other way
Thanx again
Teri
October 24, 2007 at 8:14 pm
Do you have any systems which handle password change? Or do all of your users use CTRL+ALT+DEL? If the former, perhaps it can be extended.
K. Brian Kelley
@kbriankelley
October 25, 2007 at 6:07 am
Unfortunately it is during login (or ctr-alt-delete) that the password is changed. There is an application that was created that would allow a user to reset their password, but I would never be allowed to tap into something like that.
I work for an extremely large corporation (400,000+ globally) and do have administrator rights on my servers,DataCenter, field servers and within my OU. BUT I do not have any Domain Administrative rights.
So at this point I have 4 options on how I am to handle security for my developers.
Again I appreciate the suggestions
Teri
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply