Hi,
I inherited an install of Vault version 4.1.4 and I’m having a small problem with removing the vault user from the local admin group. The Vault install is on the same machine as our SQL2005 install and the vault DB’s on this instance of SQL. I have a need now to remove the builtin\administrators group from SQL. I’ve added the vault user (vaultadmin) to SQL and made that account a sysadmin. I then remove the builtin\administrators from the sysadmin role in SQL and when I do this vault becomes in accessible. What other service account would vault be using in the builtin\administrators group? The vaultadmin user is still in the local admin group so it has full access to all the files on the server. What am I missing?
Thanks,
Jeff
Removing vault user from local admin group
Moderator: SourceGear
Re: Removing vault user from local admin group
I would doubt that Vault is using the SQL user you made. Vault sets up its own user during the install. It would have a user called sgvaultuser if you used SQL authentication during the install. If you used Windows authentication, then the user will depend which IIS process model you chose. The most common ones it could be under Windows authentication would be NT Authority/Network Service or a domain user.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Removing vault user from local admin group
Hey Beth,
Thanks for the reply but neither the network server account or the domain users account is in the local administrators group. So removing the builtin\admin group from SQL shouldn't cause a problem. The only thing in the local admin group is that local user svaultadmin and a domain service account that I have also add to SQL separately and have given it SYSadmin access. This service account runs my SQL agent and most services on the machine.
I can see the sgVault and sgmaster DB’s on my server and the vaultadmin user is the owner. Is there some logging I can switch on to see why I can’t login to vault?
Thanks for the reply but neither the network server account or the domain users account is in the local administrators group. So removing the builtin\admin group from SQL shouldn't cause a problem. The only thing in the local admin group is that local user svaultadmin and a domain service account that I have also add to SQL separately and have given it SYSadmin access. This service account runs my SQL agent and most services on the machine.
I can see the sgVault and sgmaster DB’s on my server and the vaultadmin user is the owner. Is there some logging I can switch on to see why I can’t login to vault?
Re: Removing vault user from local admin group
Sorry new to vault. I found the logging. I removed the builtin\admin group and then tried logging on to vault. Here's what I get. Keep in mind the 'Server_name\Vaultadmin' user is a local NT user that has sysadmin rights to SQL. and is in the local admin group. Any ideas?
Login failed for user 'Server_name\Vaultadmin'.
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at VaultServiceSQL.VaultSqlConn.OpenConn()
at VaultServiceAPILib.VaultServiceAPISystem.GetOpenSqlConn(VaultSqlConn& conn) at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at VaultServiceSQL.VaultSqlConn.OpenConn()
at VaultServiceAPILib.VaultServiceAPISystem.GetOpenSqlConn(VaultSqlConn& conn)
----5/7/2010 3:33:55 PM Jeffs--machine.domain(IP_address)--SSL Disabled Vault Failed to establish a connection to the database.
----5/7/2010 3:33:55 PM Jeffs--machine.domain(IP_address)--SSL Disabled System.Data.SqlClient.SqlException: Cannot open database "sgvault" requested by the login. The login failed.
Login failed for user 'Server_name\Vaultadmin'.
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at VaultServiceSQL.VaultSqlConn.OpenConn()
at VaultServiceAPILib.VaultServiceAPISystem.GetOpenSqlConn(VaultSqlConn& conn) at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at VaultServiceSQL.VaultSqlConn.OpenConn()
at VaultServiceAPILib.VaultServiceAPISystem.GetOpenSqlConn(VaultSqlConn& conn)
----5/7/2010 3:33:55 PM Jeffs--machine.domain(IP_address)--SSL Disabled Vault Failed to establish a connection to the database.
----5/7/2010 3:33:55 PM Jeffs--machine.domain(IP_address)--SSL Disabled System.Data.SqlClient.SqlException: Cannot open database "sgvault" requested by the login. The login failed.
Re: Removing vault user from local admin group
Can you specifically give that user db_owner rights to both sgvault and sgmaster?
If it still refuses to log in after that, it might make more sense to uninstall Vault (keep the database), then remove the Network Service account, or whatever local account it's using, from the sgvault and sgmaster database users and from the SQL users, then install again choosing the option to reuse the database. That will force Vault to add the local account again and give it the permissions it needs.
If it still refuses to log in after that, it might make more sense to uninstall Vault (keep the database), then remove the Network Service account, or whatever local account it's using, from the sgvault and sgmaster database users and from the SQL users, then install again choosing the option to reuse the database. That will force Vault to add the local account again and give it the permissions it needs.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Removing vault user from local admin group
Thanks Beth,
The user is the DB_Owner for both those DB’s. I was wondering if it’s in a config file for vault that it’s looking for the builtin\admin group not just the user we created. Might have to try the reinstall thing.
The user is the DB_Owner for both those DB’s. I was wondering if it’s in a config file for vault that it’s looking for the builtin\admin group not just the user we created. Might have to try the reinstall thing.
Re: Removing vault user from local admin group
If you need help with the re-install, or if it still has problems connecting after that, let me know.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support