I've read tons of questions and answers (from Pinal Dave's website, Microsoft links and everything) about my error but none of them helped me. I've found questions and answers from nine years ago to today. I created a Linked Server with proper username/password to read info from our Active Directory (AD). But it doesn't matter what user I use (we tried everything, even with the most powerful user we have in the network that can make it rain if it wants) and I still get the same error: Msg 7399, Level 16, State 1, Line 16 The OLE DB provider "ADsDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation. I tried to run SSMS with the user with no success. I set the security tab to run with the specific user that can read the AD. These are the queries I'm trying: SELECT top 100 * FROM OpenQuery ( ADSI, 'SELECT displayname FROM ''LDAP://myDomain.local/OU=Usuarios''' ) SELECT TOP 100 * FROM OPENQUERY (ADSI,'SELECT displayname FROM ''LDAP://myDomain.local/OU=USUARIOS,DC=MyDomain,DC=LOCAL''' ) SELECT * FROM OpenQuery ( ADSI, 'SELECT * FROM ''LDAP://myDomain.local/DC=MyDomain,DC=local'' WHERE objectClass = ''User'' ') I opened management studio with this powerful user and it still doesn't work. What can be the error here? I'm querying the AD server remotely from my machine from SSMS.

I am attempting to add a Windows AD User account in order to embed it in SSRS reports for org wide reports. Using SSMS (with \\Administrator access): - Server Level: - Created the account on SQL Server > Security - Logins: General (Windows Authentication) - Default Database: \ - Server Roles: Public - User Mapping: \ (selected) - Status: - Connect: Grant - Login: Enabled - Database Level: - Membership: db_datareader

Currently I have a simple SSIS project inside of a server that only allow one person to use. I am looking for an alternative for other people to collaborate with that SSIS project. I have done my research to try using Azure DevOps and Github. But my manager wants me to use Active Directory, to allow users with valid username to access the project. How can I add new user inside of the SSIS project? Is there any way I can just add new user through visual studio so that they can also collaborate? I have added a new user inside of my SSISB folder. But still I have not found any solution.

We are managing our SQL Always On listeners records in 2 active directory servers (they are syncing each other) and we came across an issue which we couldn't pinpoint the cause for.We are testing MSSQL failovers on our windows DB servers and after the failover we check the DNS manager to see that the IP for the relevant listener changed (our DB servers are on multiple subnets). In some cases (once every few failovers) we see that the listener record duplicates ,meaning we have 2 records for the same listener pointing to different DB servers and not 1 pointing to the primary DB as it should be. We have checked the availability group parameters which might affect this : PublishPTRRecords is set to true for all availability groups and for the cluster. HostRecordTTL is set to 15 seconds. RegisterAllProvidersIP is set to 0 to assure that only a single IP will be available for each listener. I would like to ask your opinion regarding possible causes for this issue or a way to monitor the DNS records change process which might allow me to debug . Thanks

I've setup a new Python site on iis using FastCGI handler. The site has windows authentication enabled in iis and the app checks that the AD user belongs to an active directory group when they access the site. If authorisation fails access is denied. Windows authentication uses Kerberos but it is not a double hop. However the web app reads/writes to a SQL Server database and the DB calls are made using the service account which runs the app pool. The service account has limited access to run the web app and can only access one single database which the web app uses. I've read that impersonation would be better from a DB security perspective using constrained delegation. Although the app does log which user has accesed the db. I wouldn't remember the URL now. but it was essentially stating that the SQL database is checking that the actual AD user who is using the web app has access to the database. As opposed to the database checking that the service account has access. Is there any obvious security risks with the approach I'm using?

I'm trying to setup Kerberos constrained delegation to solve my **double hop** problem. --- I'm using standard SQL Server configuration with Virtual Account (NT SERVICE\MSSQLSERVER) as a service account for all my instances. When I'm trying to perform double hop query via Linked Server I get this typical error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The setup looks like this: *User Computer > HOP > SQL Server A > HOP (Linked Server) > SQL Server B* And my query is just basic Select just for testing. Like this:

Select * From [Server B].[DB].[Scheme].[Table]

--- Using Kerberos Configuration Manager for SQL Server I verified SPNs and delegation settings for my servers. SPNs are configured automatically: And delegation is set to None: I also checked what type of authentication does SQL Server uses. To check this I ran this query on Server A (from this article ):

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;

And got NTLM as a response. --- According to this results it seems like I'm missing delegation settings. But my question is how should I go about it? I've read countless articles and post and I still can not figure it out. It seems like it should be possible to just use default Virtual Account for this. But every tutorial I've found talks about either Domain Accounts or Managed Service Accounts. In such cases we have this accounts present inside Active Directory, but what about default virtual accounts? This accounts are local - how do I grant delegation permissions to them? Should I grant delegation permission on the machine? But how? I tried doing this. I went over to Active Directory, opened my Server A computer object and did this: So it should allow Server A to delegate to Server B. But it still does not work. And Kerberos Configuration Manager still shows None as delegation type. I'm using Windows Server 2019 and SQL Server 2019. --- **@EDIT** I tried using different setting. Instead of *"Kerberos only"* I selected *"Use any authentication protocol"* and after like 10 minutes **it started working!**. It all makes sense now as SSMS connection still was done with NTLM the "Kerberos only" settings wouldn't work. But the question is why it is still using NTLM? Is it bad and I should try to change it? If so - how?

I have an Azure PostgreSQL server that is giving different connection results in Azure Data Studio (with the PG extension) depending on how the resource's AD Admin setting is configured. With the AD Admin set to an AD security group that I'm a member of, I get "server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request." Setting the AD Admin to my AD user account lets me connect successfully. Using the same AD group as the AD Admin setting for our Azure SQL Databases lets my user account in fine in ADS and SSMS. Thanks!

every hour I get event like below. I tried something below. but without success. client access name : CMPDB01 Always ON name : AO Cluster name : cls01 I have multi-IP Addresses in SQL Server Always On Listener. listener ip : 10.10.14.11 - CMPDB01 second ip : 172.19.80.14 - CMPDB01 In the relevant CNO dns records, the CNO computer object has full control privileges. (cls01)CNO password last set attribute : 27.01.2025 (CMPDB01)Listener computer object password last set attribute : 8.01.2025 I have given full control authorization to the CNO computer object, both the SQL Service account and the CNO object like below. Within AD, look for the CNO name. Go to Properties of the computer CNO, then click on the security tab. a. If you do not see the security tab close the properties window for the cno, click on View then check Advanced Features. This will allow you to see the Security tab of the listener within Computers. Within the security tab, give the SQL Service Account FULL CONTROL permissions. Error Message: The computer object associated with the cluster network name resource 'AO_CMPDB01' could not be updated in domain 'contoso.local' during the Password change operation. The text for the associated error code is: The specified network password is not correct. The cluster identity 'cls01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain

I'm trying to switch between user contexts but ORIGINAL_LOGIN() returns some magic AD account rather than the local machine account I connected with. This makes it impossible to switch back to the original caller context. I'm connecting as a local Windows user. SELECT ORIGINAL_LOGIN(), SYSTEM_USER returns:

-none
MicrosoftAccount\name@email.com | localMachine\localUser

The login I connected with is indeed localMachine\localUser. I'm not even sure where the MicrosoftAccount\name@email.com account comes from, Windows sort of invented this on its own. Now consider this stored procedure: CREATE OR ALTER PROCEDURE spTest WITH EXECUTE AS OWNER AS BEGIN -- Do high-privilege things ... EXECUTE AS LOGIN = ORIGINAL_LOGIN(); -- Fails! -- Impersonate caller, check some permissions REVERT; -- Do more high-privilege things ... END GO EXEC spTest; The EXECUTE AS LOGIN impersonation invariably fails with:

-none
Could not obtain information about Windows NT group/user 'MicrosoftAccount\name@email.com', error code 0x54b.

Obviously, since MicrosoftAccount\name@email.com is not used or configured anywhere. This makes ORIGINAL_LOGIN() completely useless to us, and I have no idea how to temporarily switch back to the caller context. Note that the code above is for demonstration only. The actual code base is significantly more complex with chains of stored procedure calls and triggers involved. How can I get ORIGINAL_LOGIN() to return the actual original login? --- We are not exactly using Azure/Entra AD, or at least not on purpose. But new Windows really tries hard to tie you to the Azure/Entra AD framework whether you like it or not. exec xp_logininfo only exposes localMachine\localUser. There is nothing to tie it to the Azure/Entra AD account. The solution works fine when there is no Azure/Entra AD involved. If possible, I'd like to completely disable the Azure/Entra AD feature for SQL Server. I don't even know why SQL Server chooses it over localMachine\localUser.

I have 4 Windows AD Domains and the same AD Group within them: - DEV\MyADGroup - SIT\MyADGroup - UAT\MyADGroup - PROD\MyADGroup The domains are separated from each other and not trusted, so we can prevent data/access spillage across domains. I also have 4 SQL instances, one for each domain. In a MS VS database solution, I'd like to do something like: CREATE LOGIN [$(USERDOMAIN)\MyADGroup] FROM WINDOWS GO but I get the error: > SQL70604: SqlCmd variable reference is not allowed in object names ($(USERDOMAIN)\MyADGroup). Is there some way to allow the MS VS project to understand that it should dynamically fill in the USERDOMAIN variable at Build-Time, so I can generate diff scripts and publish the solution easily to all 4 domains, without having to manually set the correct domain? Things I've tried: - the above, which throws the error - post-execution scripts, which breaks diff script generation and publishing Note: this quesion has nothing to do with database-level users, roles, permissions! We are talking about Windows AD Groups across different Windows AD domains, and how to map them to a SQL Server Instance-level Login!

at our company we run a MS SQL Server that hosts around 70 databases for various software products that are used by our colleagues. The server is version 2016, 8 cores, 127 GB Ram, lots of disk space. Mostly we use trustedConnctions (AD/Kerberos) to the databases. Usage of the databases varies widely. Some are only for logging, others are heavily queried for reading and writing. One of the (third party) software packages, that is used by around 150 users at peak time, connects to 21 databases simultaneously. From time to we see massive problems in the logs of this software, because it takes eight to 12 seconds to establish each database connection. Sometimes there are even timeouts for the connection. In the Database logs we can't find any clue what could cause this delays. The CPU at the server works around 50% most of the time. The disks are not stressed. Total connections to the server fluctuate between 700 and 900. We are not particularly fond in using the sql-server-profiler or interpreting the logs. What could we do to search for the source of the problem? Which indicators should we monitor? Could there be other factors, outside of the sql server, that we should check? I would be grateful for any help! **Update:** the suggestions helped a lot. I read through the links and tried to understand the different wait-types. On script from sqlskills got me this statisic: The biggest chunk is allways the Preemtive_OS_AuthenticationOPS. Internet says: > PREEMPTIVE_OS_AUTHENTICATIONOPS Description This wait accumulates > while SQL Server is waiting for an Active Directory query to complete. That got me thinking... I changed the test environment of the big software suite from trustedconnection (ActiveDirectory) to SQLServer-User authentication. The results are phenomenal: Nearly no wait times for the database connections!! Massive speed increase within the software. Sadly that is not a possible solution for our production environment, but now i will shift my focus to the Kerberos/SQL Server interactions. Any tips on that? **A little update** for users that stumble over this question: The infrastructure colleagues updated a TrendMicro agent on the sql server, that was several versions behind. From that moment on, things ran nearly smoothly. If that was the underlying cause, or also only a symptom of something else... maybe we will never know....

We use Azure Active Directory (Azure AD) in my organisation, and we recently deployed Azure AD Domain Services AADDS) to handle a SQL Server 2019 we use internally. My Azure AD domain is (fictitiously) contoso.com, while my AADDS is aaddscontoso.com. Microsoft strongly recommends that users do not create their managed domain (the AADDS deployment) with the same domain name as their Azure deployment. They also strongly recommend against using something like contoso.local. So of I went to create our AADDS as aaddscontoso.com and everything seems to be working perfectly. The Azure AD works with AADDS, (at least with the Vanilla way we have set-up) is: - All of all laptops, desktops, etc are joined to the Azure AD through the Azure AD join (the cloud method) - We can access the managed domain and its hots (including the SQL server) in our Azure Network via Azure VPN. For instance, right now I am VPN into our Azure network and I can remote desktop to the SQL Server. Here is where the problem starts. Today I just noticed that trying to deploy an SSIS package from Visual Studio from my laptop (whilst connected on VPN) won't work. I tried using Windows Authentication and the authentication fails with the following error: > The target principal name is incorrect. Cannot generate SSPI context. > (Microsoft SQL Server, Error: 0) So I tried using the Active Directory Password Authentication option, then I got the following error: > A connection was successfully established with the server, but then an > error occurred during the login process. (provider: SSL Provider, > error: 0 - The certificate chain was issued by an authority that is > not trusted.) (Microsoft SQL Server, Error: -2146893019) Then I tried to be *clever* and create a SQL Login with the right administrative rights and the connection worked. However it fails on the deployment of the package, saying that you cannot use a SQL account for this. At least this proves that the connection to the server is not the issue. **I *THINK* that this problem could be simplified as follows: I want to deploy an SSIS package from the PC in DOMAIN A to a SQL server found in DOMAIN B. How can I do that?** (Granted that this is not really it, but SSIS seems to think it is).

So, first: the setup. We have SQL Server 2012 (ServerA) running in domain A. We have SQL Server 2012 (ServerB) running in domain B, separate subnet, no trusts. These are completely separate domains for security reasons and they cannot be joined/trusted/etc. We need to be able to query the data directly from domain B via Windows Authenticated logins. I was able to use this guide to set up transaction log shipping to get the databases from ServerA to ServerB (summary: create the transaction log shipping config, use WinSCP to copy the logs to the remote server, manually create the secondary using SQL script). So now we have the two databases running in STANDBY/read-only on ServerB. Now, the problem: we cannot grant access to these databases because they are in read-only so we cannot modify the permissions. How can I grant read-only access to these databases (either at the server level or DB level) to a domain group from DomainB on ServerB? I've found several references to creating a SQL login on the sending side, but I can't find any way to replicate it with a Windows Auth Login.

**I am attempting to configure Oracle with Kerberos. I have completed all of the necessary configurations and have obtained a ticket. However, when I run SQLPlus /@ORCL, I receive the following error:** C:\Users\Administrator>sqlplus /@ORCL SQL*Plus: Release 21.0.0.0.0 - Production on Wed Feb 21 05:42:04 2024 Version 21.3.0.0.0 Copyright (c) 1982, 2021, Oracle. All rights reserved. ERROR: ORA-01017: invalid username/password; logon denied **I am using a Windows machine that acts as both a server and a client. Below are all the details.** [okinit testuser] C:\Users\Administrator>sqlplus /@ORCL SQL*Plus: Release 21.0.0.0.0 - Production on Wed Feb 21 05:42:04 2024 Version 21.3.0.0.0 Copyright (c) 1982, 2021, Oracle. All rights reserved. ERROR: ORA-01017: invalid username/password; logon denied okinit C:\Users\Administrator>okinit testuser Kerberos Utilities for 64-bit Windows: Version 21.0.0.0.0 - Production on 21-FEB-2024 05:40:30 Copyright (c) 1996, 2021 Oracle. All rights reserved. Configuration file : C:\Windows\krb5.ini. Password for testuser@EXAMPLE.COM: [oklist] C:\Users\Administrator>oklist Kerberos Utilities for 64-bit Windows: Version 21.0.0.0.0 - Production on 21-FEB-2024 05:40:49 Copyright (c) 1996, 2021 Oracle. All rights reserved. Configuration file : C:\Windows\krb5.ini. Ticket cache: FILE:C:\Users\Administrator\Documents\kerberos\krb5cache Default principal: testuser@EXAMPLE.COM Valid starting Expires Service principal 02/21/24 05:40:33 02/21/24 15:40:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/22/24 05:40:30 [sqlnet.ora file] SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5, KERBEROS5PRE) SQLNET.KERBEROS5_KEYTAB = C:\Users\Administrator\Documents\keytab\keyfile.keytab SQLNET.KERBEROS5_CC_NAME = C:\Users\Administrator\Documents\kerberos\krb5cache SQLNET.KERBEROS5_CONF = C:\Windows\krb5.ini SQLNET.FALLBACK_AUTHENTICATION = TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = ORCL [krb5.ini] libdefaults] default_realm = EXAMPLE.COM forwardable = true clockskew = 6000 passwd_check_s_address = false [realms] EXAMPLE.COM = { kdc = hostname.EXAMPLE.COM admin_server = hostname.EXAMPLE.COM default_domain = EXAMPLE.COM } [domain_realm] .EXAMPLE.COM = EXAMPLE.COM EXAMPLE.COM = EXAMPLE.COM .example.com= EXAMPLE.COM example.com = EXAMPLE.COM [keytab generation cmd] ktpass /princ ORCL/hostname.example.com@EXAMPLE.COM /mapuser testuser@EXAMPLE.COM /crypto ALL /ptype KRB5_NT_PRINCIPAL /out C:\Users\Administrator\Documents\keytab\keyfile.keytab /pass password1

I would like to use integrated security with my internal application which is all on a domain. Unfortunately, I've never been able to get this to work well. I would like to assign an entire Exchange (Active Directory) Group a role in SQL Server for read/write access to certain tables. That way I wouldn't have to create an operator whenever someone is hired or delete an operator whenever someone is fired. Is this possible? What steps would I take to do this?

I have created a login for an AD group: CREATE LOGIN [MYDOMAIN\Development Admins] FROM WINDOWS WITH DEFAULT_DATABASE=[master] One of the members of that AD group is a user named DBGuy. I can see the DBGuy user in this AD group if I execute xp_logininfo 'MYDOMAIN\Development Admins', 'members' But if I try to login using the DBGuy account, I get an error: > Error Number: 18456 > Severity: 14 > State: 1 > Line Number: 65536 And in the error logs I see: > Login failed for user 'MYDOMAIN\DBGuy'. Reason: Could not find a login matching the name provided. [CLIENT: 192.168.50.127] Some other info.... - Other AD accounts seem to work fine as Windows logins, I am only having an issue with this group. - I found an article from Aaron Bertrand describing a similar issue regarding the default database in the connection- I have set the default database to *master* in the connection settings. - One blog post suggested using exec sp_change_users_login Report to look for orphaned users; this returns zero rows for me.

The authentication timeouts and slowness happen for both local SQL logins and Windows authentication using AD. Rebooting "masks" the problem for a while, but after 6-8 hours, we see them again. The whole time, I see high numbers of PREEMPTIVE_OS_AUTHENTICATIONOPS waits. It can't be strictly an AD or routing issue because authentication happens instantly during RDP login using a domain account, even after many hours or days of uptime. telnet to the relevant ports on the DC instantly return success, so the ports are open. I've gone through everything on this page, to no avail: https://samzsimplesql.wordpress.com/2015/09/01/troubleshooting-connectivity-issues-timeout-error-258-unable-to-complete-login-process-due-to-delay-in-prelogin-response-pre-login-handshake-failed-2/ - SQL Server: 2008 R2 EE 10.50.6560.0 - Windows: 2008 Ent - AD: 2012 R2 (Yes, I know those are ancient versions, but have no control over that.) What else can I look at? EDIT: There are about 1000 connections (it varies throughout the day). "All" (except for the few from me) logins are from the same domain account. The problem started last Monday. There are no errors in the SQL Server error log. This is the only (and there were a lot of them!) message in the DB server's event viewer: > The description for Event ID 17052 from source MSSQLSERVER cannot be > found. Either the component that raises this event is not installed on > your local computer or the installation is corrupted. You can install > or repair the component on the local computer. > > If the event originated on another computer, the display information > had to be saved with the event. > > The following information was included with the event: > > Severity: 16 Error:258, OS: 258 [Microsoft][SQL Server Native Client > 10.0]Shared Memory Provider: Timeout error .

I need to back up my database using a command line instruction. I launch the backup instruction from a Azure DevOps Release Pipeline to back up my SQL server database on a share folder on another server. Here is my deployment group and task:

echo Current user: %username%
whoami
SqlCmd -S myserver1 -U myuser -P mypassword -Q "BACKUP DATABASE [mydatabase] TO DISK='\\Server7\DatabaseBackup\Backup.bak' WITH INIT"

Here is my log of these instructions:

2023-03-09T00:49:26.6349085Z ##[section]Starting: Backup Prod Database
2023-03-09T00:49:26.6973085Z ==============================================================================
2023-03-09T00:49:26.6973085Z Task         : Command line
2023-03-09T00:49:26.6973085Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2023-03-09T00:49:26.6973085Z Version      : 2.212.0
2023-03-09T00:49:26.6973085Z Author       : Microsoft Corporation
2023-03-09T00:49:26.6973085Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line 
2023-03-09T00:49:26.6973085Z ==============================================================================
2023-03-09T00:49:27.4461085Z Generating script.
2023-03-09T00:49:27.4773085Z ========================== Starting Command Output ===========================
2023-03-09T00:49:27.4929085Z ##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "C:\azagent\A1\_work\_temp\013b8436-8475-40dd-9d49-f6166ea509cd.cmd""
2023-03-09T00:49:27.5085085Z Current user: SERVER15$
2023-03-09T00:49:27.5397085Z nt authority\system
2023-03-09T00:49:27.7269085Z Msg 3201, Level 16, State 1, Server SERVER6, Line 1
2023-03-09T00:49:27.7269085Z Cannot open backup device '\\server7\DatabaseBackup\Backup.bak'. Operating system error 5(Access is denied.).
2023-03-09T00:49:27.7269085Z Msg 3013, Level 16, State 1, Server SERVER6, Line 1
2023-03-09T00:49:27.7269085Z BACKUP DATABASE is terminating abnormally.
2023-03-09T00:49:27.7737085Z ##[section]Finishing: Backup Prod Database

It seems the issue us related to the access to share folder. I go on my server7 where I created the shared folder. Here is my sharing rules: What is wrong? Of course I'm in a active directory domain. I can also access AD server if needed.

I know that this issue has been discussed elsewhere and I already read it. Our problem is that this occurs only once a day (roughly), the rest of time everything works fine. SERVER RS - Windows Server 2008 R2 STD - Microsoft SQL Server Standard Edition (64-bit) 10.0.6241.0 - SQL Server runnuing under SQLSVC domain account - Computer account in AD delegation tab has set Do not trust this computer for delegation - It has linked server to DB configured using logins current security context. SERVER DB - Windows Server 2008 Ent - Microsoft SQL Server Enterprise Edition (64-bit) 9.00.5000.00 - SQL Server runnuing under SQLSVC domain account - IP: xx.yy.1.30 - Computer account in AD delegation tab has set Trust this computer for delegation to any service (Kerberos only) - It has linked server configured to RS using logins current security context (no problem there). On RS server there is a job which runs many steps one of which is procedure on DB server. Roughly once a day, we have this error. The error is only logged in RS server as Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: xx.yy.1.30] Date 31.05.2017 16:09:02 Log SQL Server (Current - 31.05.2017 16:09:00) and second Source Logon Message Error: 18456, Severity: 14, State: 11. SPNS registred for SQLSVC account is as follows MSSQLSvc/RS.domain.local:1433 MSSQLSvc/RS.domain.local MSSQLSvc/DB.domain.local:1433 MSSQLSvc/DB:1433 Delegation on SQLSVC account (in AD) is as follows Trust this user for delegation to specified services only - Use Kerberos only MSSQLSvc DB.domain.local 1433 MSSQLSvc RS.domain.local MSSQLSvc RS.domain.local 1433 ** here is missing the DB.domain.local (wo port) but in this scenario we are not using double hop. When the error happens, there is no word in system logs, only SQL log on RS server. I went and enabled logging Kerberos messages on RS server, with no log information in the moment of error. I also asked infrastructure guys for help, they say there is also no error logged on AD controllers in timeframe of error. I would realy apriciated any suggestion on what to do next, because the error happens randomly roughly once a day. Also if you can comment on settings concerning delegation tab in AD computer account (I cant make changes to AD so any change must be justified). Thank you.

I need to get all active directories locations, related to current machine, by SQL script to create logins for them. Is there a way to perform that? For now I wrote such procedure: USE [master] GO CREATE LOGIN [**Location**\Domain Users] FROM WINDOWS WITH DEFAULT_DATABASE=[master] GO Is there a way to get all locations using SQL query? Thanks in advance.