Hi,
1) What's difference between disabling a login and denying it?
2) What does Denying mean for a login of type SQL Authentication?
Thanks in advance,
LeilaDenying a login is done by an administrator to prevent the person from
logging into SQL Server. Disabling is done by SQL Server itself. This is
typically because someone tried to login with the password unsuccessfully
several times and the limit was exceeded.
Tom
----
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
SQL Server MVP
Toronto, ON Canada
https://mvp.support.microsoft.com/profile/Tom.Moreau
"Leila" <Leilas@.hotpop.com> wrote in message
news:eYmc6p5fHHA.4032@.TK2MSFTNGP02.phx.gbl...
Hi,
1) What's difference between disabling a login and denying it?
2) What does Denying mean for a login of type SQL Authentication?
Thanks in advance,
Leila|||Thanks Tom,
Then what's the checkbox in status tab of a login properties (Login is
locked out). Mine is gray (I use win XP)
"Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
news:%23tEa0s5fHHA.588@.TK2MSFTNGP06.phx.gbl...
> Denying a login is done by an administrator to prevent the person from
> logging into SQL Server. Disabling is done by SQL Server itself. This is
> typically because someone tried to login with the password unsuccessfully
> several times and the limit was exceeded.
> --
> Tom
> ----
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
> SQL Server MVP
> Toronto, ON Canada
> https://mvp.support.microsoft.com/profile/Tom.Moreau
>
> "Leila" <Leilas@.hotpop.com> wrote in message
> news:eYmc6p5fHHA.4032@.TK2MSFTNGP02.phx.gbl...
> Hi,
> 1) What's difference between disabling a login and denying it?
> 2) What does Denying mean for a login of type SQL Authentication?
> Thanks in advance,
> Leila
>|||Is it grey *and* checked or is it grey and *not* checked?
When SQL Server disables a login, you should be able to uncheck that box.
You're not allowed to check it, however.
Tom
----
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
SQL Server MVP
Toronto, ON Canada
https://mvp.support.microsoft.com/profile/Tom.Moreau
"Leila" <Leilas@.hotpop.com> wrote in message
news:e%23sbDL6fHHA.4032@.TK2MSFTNGP02.phx.gbl...
Thanks Tom,
Then what's the checkbox in status tab of a login properties (Login is
locked out). Mine is gray (I use win XP)
"Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
news:%23tEa0s5fHHA.588@.TK2MSFTNGP06.phx.gbl...
> Denying a login is done by an administrator to prevent the person from
> logging into SQL Server. Disabling is done by SQL Server itself. This is
> typically because someone tried to login with the password unsuccessfully
> several times and the limit was exceeded.
> --
> Tom
> ----
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
> SQL Server MVP
> Toronto, ON Canada
> https://mvp.support.microsoft.com/profile/Tom.Moreau
>
> "Leila" <Leilas@.hotpop.com> wrote in message
> news:eYmc6p5fHHA.4032@.TK2MSFTNGP02.phx.gbl...
> Hi,
> 1) What's difference between disabling a login and denying it?
> 2) What does Denying mean for a login of type SQL Authentication?
> Thanks in advance,
> Leila
>|||Tom Moreau (tom@.dont.spam.me.cips.ca) writes:
> Denying a login is done by an administrator to prevent the person from
> logging into SQL Server. Disabling is done by SQL Server itself. This is
> typically because someone tried to login with the password unsuccessfully
> several times and the limit was exceeded.
It's possible for an administrator to disable login with ALTER LOGIN as
well.
Really what the subtle difference between DENY CONNECT and ALTER LOGIN
DISABLE might be in practice, I can't really see.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx|||It is not checked. So when the login is locked, i can enable it by clicking
Enable option. What's the need for this checkbox?
"Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
news:%23vey2R6fHHA.588@.TK2MSFTNGP06.phx.gbl...
> Is it grey *and* checked or is it grey and *not* checked?
> When SQL Server disables a login, you should be able to uncheck that box.
> You're not allowed to check it, however.
> --
> Tom
> ----
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
> SQL Server MVP
> Toronto, ON Canada
> https://mvp.support.microsoft.com/profile/Tom.Moreau
>
> "Leila" <Leilas@.hotpop.com> wrote in message
> news:e%23sbDL6fHHA.4032@.TK2MSFTNGP02.phx.gbl...
> Thanks Tom,
> Then what's the checkbox in status tab of a login properties (Login is
> locked out). Mine is gray (I use win XP)
>
> "Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
> news:%23tEa0s5fHHA.588@.TK2MSFTNGP06.phx.gbl...
>|||It's just a convenience to re-enable the login.
Tom
----
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
SQL Server MVP
Toronto, ON Canada
https://mvp.support.microsoft.com/profile/Tom.Moreau
"Leila" <Leilas@.hotpop.com> wrote in message
news:%23K0Oym6fHHA.4156@.TK2MSFTNGP02.phx.gbl...
It is not checked. So when the login is locked, i can enable it by clicking
Enable option. What's the need for this checkbox?
"Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
news:%23vey2R6fHHA.588@.TK2MSFTNGP06.phx.gbl...
> Is it grey *and* checked or is it grey and *not* checked?
> When SQL Server disables a login, you should be able to uncheck that box.
> You're not allowed to check it, however.
> --
> Tom
> ----
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA, MCITP, MCTS
> SQL Server MVP
> Toronto, ON Canada
> https://mvp.support.microsoft.com/profile/Tom.Moreau
>
> "Leila" <Leilas@.hotpop.com> wrote in message
> news:e%23sbDL6fHHA.4032@.TK2MSFTNGP02.phx.gbl...
> Thanks Tom,
> Then what's the checkbox in status tab of a login properties (Login is
> locked out). Mine is gray (I use win XP)
>
> "Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
> news:%23tEa0s5fHHA.588@.TK2MSFTNGP06.phx.gbl...
>|||> Really what the subtle difference between DENY CONNECT and ALTER LOGIN
> DISABLE might be in practice, I can't really see.
I agree regarding SQL Server logins.
Perhaps MS just wanted to be consistent, and allow both DISABLE and DENY for
both Windows *and* SQL
logins? I presume that for Windows logins there's a big difference. Say Joe
is a Windows login and
is also member of a windows group that has a login. DENY on Joe would mean "
Joe cannot connect.".
DISABLE would mean "Joe can connect through his windows group membership.".
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
news:Xns9914851B9626Yazorman@.127.0.0.1...
> Tom Moreau (tom@.dont.spam.me.cips.ca) writes:
> It's possible for an administrator to disable login with ALTER LOGIN as
> well.
> Really what the subtle difference between DENY CONNECT and ALTER LOGIN
> DISABLE might be in practice, I can't really see.
>
> --
> Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
> Books Online for SQL Server 2005 at
> http://www.microsoft.com/technet/pr...oads/books.mspx
> Books Online for SQL Server 2000 at
> http://www.microsoft.com/sql/prodin...ions/books.mspx|||Is it really reasonable that when DBA disables a login, it can still be
authenticated via other way? In what situation is it useful?
I cannot understand the interaction between Deny and Disable status for a
login. Which one takes precedence?
Could you please explain more about your example.
Thanks indeed.
"Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote in
message news:OU8oZhAgHHA.4188@.TK2MSFTNGP02.phx.gbl...
> I agree regarding SQL Server logins.
> Perhaps MS just wanted to be consistent, and allow both DISABLE and DENY
> for both Windows *and* SQL logins? I presume that for Windows logins
> there's a big difference. Say Joe is a Windows login and is also member of
> a windows group that has a login. DENY on Joe would mean "Joe cannot
> connect.". DISABLE would mean "Joe can connect through his windows group
> membership.".
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://www.solidqualitylearning.com/
>
> "Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
> news:Xns9914851B9626Yazorman@.127.0.0.1...
>|||Seems I was incorrect. I just disabled the Windows login I'm currently using
, and although I'm
member of the Administrators group (which is also a login), I couldn't login
to my SQL Server.
So, just to be certain that I didn't do something fishy, I dropped that disa
bled login, and now I
could connect (through my windows group membership).
Makes me too wonder why we can both disable and deny a login...
Hmm, hang on. Perhaps this is relevant for logins that aren't traditional lo
gins? Perhaps DISABLE is
important for logins that are created for certificates or symmetric keys? Th
is is just speculation,
but my thinking is that perhaps you cannot DENY CONNECT on such a login, and
this is where DISABLE
is needed? I'm afraid that I don't have such a setup where I can test it, th
ough...
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://sqlblog.com/blogs/tibor_karaszi
"Leila" <Leilas@.hotpop.com> wrote in message news:%23gU8D4EgHHA.2640@.TK2MSFTNGP06.phx.gbl...
> Is it really reasonable that when DBA disables a login, it can still be au
thenticated via other
> way? In what situation is it useful?
> I cannot understand the interaction between Deny and Disable status for a
login. Which one takes
> precedence?
> Could you please explain more about your example.
> Thanks indeed.
>
> "Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote i
n message
> news:OU8oZhAgHHA.4188@.TK2MSFTNGP02.phx.gbl...
>
没有评论:
发表评论