Hide other domain listing in the SQL Logins

Question

Hello people,

 

I have 3 server with different domains.

1. Server1 (domain: CONTOSO.com)

2. Server2 (domain: CONTOSO2.com)

3. Server3 (domain: Contoso3.com)

 

I have created an One way incoming domain wide trust on "contoso2.com" for "contoso.com" and on "contoso3.com" for "contoso.com". Now, i have installed SQL Server 2008 on "contoso.com" and now i try to access the SQL Server Management studio from "contoso2.com" and connect to the instance of "contoso.com" sql server, it gets connected and then when i try to create a new login in the SQL Server and click on browse to see the directory, then i see all 3 domain listed.

 

Is there a way where i can stop "contoso2.com" user to see other domains listed in the directory while adding new user in the login of SQL Server 2008?

Answer 1

Hello people,

I have 3 server with different domains.

1. Server1 (domain: CONTOSO.com)

2. Server2 (domain: CONTOSO2.com)

3. Server3 (domain: Contoso3.com)

I have created an One way incoming domain wide trust on "contoso2.com" for "contoso.com" and on "contoso3.com" for "contoso.com". Now, i have installed SQL Server 2008 on "contoso.com" and now i try to access the SQL Server Management studio from "contoso2.com" and connect to the instance of "contoso.com" sql server, it gets connected and then when i try to create a new login in the SQL Server and click on browse to see the directory, then i see all 3 domain listed.

Is there a way where i can stop "contoso2.com" user to see other domains listed in the directory while adding new user in the login of SQL Server 2008?

Answer 2

Hello people,

 

I have 3 server with different domains.

1. Server1 (domain: CONTOSO.com)

2. Server2 (domain: CONTOSO2.com)

3. Server3 (domain: Contoso3.com)

 

I have created an One way incoming domain wide trust on "contoso2.com" for "contoso.com" and on "contoso3.com" for "contoso.com". Now, i have installed SQL Server 2008 on "contoso.com" and now i try to access the SQL Server Management studio from "contoso2.com" and connect to the instance of "contoso.com" sql server, it gets connected and then when i try to create a new login in the SQL Server and click on browse to see the directory, then i see all 3 domain listed.

 

Is there a way where i can stop "contoso2.com" user to see other domains listed in the directory while adding new user in the login of SQL Server 2008?

Answer 3

Hello,

To my knowledge it is not possible, all trusted domains should appear. This is coming from the operating system, it is not something you can manage on SQL Server.

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 4

Thank you Alberto Morillo for replying to the post......

Is there a way where i can hide Logins tab from the security option in SQL Server Management Studio 2008 R2? As, this will resolve my issue.

Answer 5

Hello people,

 

I have 3 server with different domains.

1. Server1 (domain: CONTOSO.com)

2. Server2 (domain: CONTOSO2.com)

3. Server3 (domain: Contoso3.com)

 

I have created an One way incoming domain wide trust on "contoso2.com" for "contoso.com" and on "contoso3.com" for "contoso.com". Now, i have installed SQL Server 2008 on "contoso.com" and now i try to access the SQL Server Management studio from "contoso2.com" and connect to the instance of "contoso.com" sql server, it gets connected and then when i try to create a new login in the SQL Server and click on browse to see the directory, then i see all 3 domain listed.

 

Is there a way where i can stop "contoso2.com" user to see other domains listed in the directory while adding new user in the login of SQL Server 2008?

Answer 6

Hello,

Only users that meet required permissions can create logins. You don’t have to be afraid.

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 7

The point why i am afraid is that other domain user will see the list of all my clients domain

Answer 8

Hello,

If this is the case, maybe creating VPN connections with your clients may be better in terms of security.

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 9

Hi coolbudy3002,

It is reasonable to hide other domains when you select a domain user for a SQL Server login. For SQL Server, it might be not available to hide the domain which is trusted. It is out of the scope for SQL Server to manage the relationships between these trusted domains. To not display other domains, you may consider separating the SQL Server instance for each domain.

---

Stephanie Lv

TechNet Community Support

Answer 10

Thank you Stephanie for replying, but i cannot create instances for each client as i have more than 1000 clients preserving their database in my SQL Server.

Alberto Morillo: What do mean by creating VPN Connection will resolve my issue? Could you please explain me in details with the steps to do so. I'm sorry but am not getting you. My Clients open SSMS in their domain and then connects to my SQL Server instance with the help of one way domain wide created trust between me and them. There they see only their database of whose they are the Owner. But, when they go to add more user in the SSMS (They do not have permission to do so, as they will get access denied error at the end) there they see all the clients domain name who is having trust with my domain.

Answer 11

Hello,

I was talking about DirectAccess.

http://technet.microsoft.com/en-us/library/dd875525(WS.10).aspx

http://technet.microsoft.com/en-us/windows/dd572177

They can open SSMS and get connected to SQL Server at your network using this VPN technology.  See the resources I posted.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 12

But, in this scenario, all my clients would access my resource using Direct Access or VPN and they would now not only see my trusted domains list but also my architecture. They would personally get into my server which i wouldn't prefer.

Please let me know if i understood your recommendations correctly.

Answer 13

 

Hello,

OK. I suppose you have an application those clients use. Try then to put that application on Terminal Services and allow only the application to access SQL Server. Every user connects to the Terminal Server and the application.

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 14

No, i dont have an application. I have SQL Server Management Studio whgich my clients connect to see their database in my SHared SQL Environment.

Answer 15

 

Hello,

Remove those trusted domains. Put SQL Server Management Studio on a Terminal Services (TS) server. Allow your customers to access your TS server and from there connect to the Shared SQL Environment.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 16

Yes i can try that. But, my clients are so smart that they will install SQL Server Management Studio on their system and will access my SQL instance as they have controm on the instance to fetch data in SharePoint

Answer 17

After some extensive troubleshooting, i am able to hide other domain listing from Security->Logins->locations. We have to set "Read" and "Allowed to Authenticate" permission and deny "read permission" on the "contoso.com" domain Active Directory under "Domain Controllers" for the other two domain users.