Sp_addlinkedsrvlogin AD group limitation (workaround? anyone?)

Hello. I have looked all over boards and can't seem to find any elegant (or even hacky) workaround for this situation, hoping some of you geniuses can help. SQL Server 2008
R2 Enterprise.
We have a linked server to a DB2 server. The current linked server uses an DB2 (Unix) ID/PWD (batchID/service account) to the linked server. We don't have Kerberos and the mixed bag of Windows/Unix would sort of disallow it anyway. The SQL server (while mixed
authentication mode) uses almost exclusively Windows Authentication and we are very good about using AD groups for everything, not INDIVIDUAL windows/sql logins (as part of our corporate security).
The data on the DB2 server will soon have masked confidential fields for individual users but not the batch IDs. To ensure that anyone connecting to our SQL server can't just pull up the the unmasked data, we thought we would create another linked server an
limit it to a specific Windows group - lets call it 'DOMAIN\DBA', that requires unmasked data for processing. Either that or -better- put the 'DOMAIN\DBA' group to the existing linked server mapping to an "unmasked" account on the DB2 side. This
group has sysadmin and consists of a windows service account and prod support staff who have to manually run processes). But it is IMPOSSIBLE to set Windows Group LOGIN permissions on a linked server login. The sp_addlinkedsrvlogin specifically excludes server_principals
type 'G'. Microsoft will not say why, except because they designed this for all linked servers to also be Windows SQL server -  but there you go.
Does anyone know a way to do this without having to add the individual users from the 'DOMAIN\DBA' group to individual logins on the server? That just seems like a maintenance nightmare. This affects about 20 SQL servers in our organization. PLEASE? Anyone?
Shelley

Shelly  
Is it possible to have SSIS package , bring the data into SQL Server and play with permissions? BTW is it db2 or AS400?
Best Regards,Uri Dimant SQL Server MVP,
http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting:
Large scale of database and data cleansing
Remote DBA Services:
Improves MS SQL Database Performance
SQL Server Integration Services:
Business Intelligence

Similar Messages

  • I have a telus email acct on my ipad air and don't know how to set a group.  Can anyone help?  Thanks

    I am new to Apple and just bought an ipad air.  I have a Telus email acct and don't know how to set up a group.  Can anyone help me?  Thanks

    There isn't anything in contacts that has "create a group" .  That's why this is so frustrating.  I've tried creating a new contact and dragging names into it - doesn't work.  I can't find anything that helps!!!  What am I missing?

  • HSRP Group Limitation Problem

    Dear All,
    I have 2 3750 switches on which I need to configure HSRP for 26 VLANS.
    I have tried configuring one group for vlan 1 - 16 & second group next 16 VLANS. But i still get the error 'platform does not support more than 32 hsrp groups'
    What seems to be the problem?
    Thanks in advance.
    Sridhar.

    Have you tried to assign unique HSRP group numbers to the 26 different groups you need?
    32 HSRP groups is an HW limitation of the 3750 with no workaround available, unlike the 3550 where you could get creative with clumping groups of vlans and re use HSRP group numbers as outlined in:
    http://www.cisco.com/en/US/products/hw/switches/ps646/products_qanda_item09186a00801cb707.shtml
    The other thing to consider would be version of IOS.
    HTH

  • Crystal Reports grouping limits different then tree or tab menu limits...

    <p>Hi,</p><p>This may not be the forum for this, but I figured that if I am trying to make a treemenu function as a replacement for the group tree in CR that it is somewhat relevant...</p><p>I got a production system to run a test and it seems that the Crystal reports group tree control can easily display 3000+ items, no errors, warnings or any other abnormal behaviours. Why would it be possible for this to work, and not have that many elements in a treemenu or tabmenu without the page size limits? I&#39;ve already discovered that in my case I need to break up the levels into smaller strings, but the page size becomes an issue. There are no ways that i have found to duplicate the group tree functionality with that many levels. Even the largest page size cannot display 3000+ items that I have been able to find.</p><p>Thanks for any help you can give. </p><p>&#160;</p><p>&#160;</p>

    <p>this will work for viewing only in boe or in the crystal reports designer...</p><li>In Enterprise (CMC), navigate to the report you&#39;ve just uploaded </li><li>From the process tab, select &#39;Print Setup&#39; </li><li>In the &#39;Set the report&#39;s page layout&#39; section, select the &#39;Custom Settings&#39; option. </li><li>Choose a Height and Width for the report (for example - 40inches width, 10 inches high). </li><li>Click Update. </li><li>Go to the History tab and Click Run Now (assuming the report you&#39;ve built doesn&#39;t have a massive quantity of data) </li><li>You should now be viewing your report with the screenspace chosen (40 inchs wide) - <em>From the viewer</em>, export the report to RPT and save it to your desktop. </li><li>Open the report in Crystal Reports and you will have the report with custom page settings to work with. </li>

  • 2k classpath limitation workaround not working

    Hello
    I am aware of the 2k limitation in installing weblogic as win2k service. The suggested
    workaround for that as per the documentation is to provide a '@filename' paramater.
    But looks like it is not picking up the ''myclasspath.txt' This file is in the
    %WL_HOME%/server/bin directory.

    Using Photoshop CS2, I created a document that is 217 pixels wide, 350 pixels high, 8 bit RGB, with exactly 217 layers.
    I can navigate up and down with one layer visible using Alt ] and Alt [, no problem.
    In this case, Photoshop is set to use 100% of available memory on a 64 bit system, which means it gets 2786 MB:
    Anything else you'd like me to try?
    -Noel

  • Bbm group limitation

    Hi
    don't know if it is possible to synchronize two different groups together as a result of limitation caused by the 30 member limit. For a group that has exceeded that limit what can be done when there is a need to have another one to keep them up to date with each other? Will appreciate any suggestion or upgrade to that respect from RIM

    ... sync what? So that the chat and convo from Group One goes automatically into Group Two?
    I don't know an automatic way for that. One person could "copy chat" in one group and paste it to the second, it all I can think of.
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • Cat3750 Standby Group limitation

    Hello,
    I got a problem regarding the limitation of standby groups. As you can see below, we never put the vlan interfaces in groups, so they`re all in group 0 by default. Now, by trying to add another virtual interface to one of  the two core switches, i got an error message that the amount of groups is limited to 32. I dont understand that. In my opinion, all interfaces are in group 0 ?!?
    Even if i try to put, for example, interface 402 in another group, the error message appears.
    Besides i`m still not sure what that groupes are made for, what`s best practice for this scenario? 
    thanks in advance
    Interface   Grp Prio P State    Active          Standby         Virtual IP
    Vl1         0   120  P Active   local           172.17.101.253  172.17.101.254
    Vl21        0   120  P Active   local           172.17.1.3      172.17.1.1
    Vl201        0 120  P Active   local           172.17.202.3    172.17.202.1
    Vl203      0   120  P Active   local           172.17.201.3    172.17.201.1
    Vl202       0   120  P Active   local           172.17.203.3    172.17.203.1
    Vl204       0   120  P Active   local           172.17.204.3    172.17.204.1
    Vl205       0   120  P Active   local           172.17.205.3    172.17.205.1
    Vl206       0   120  P Active   local           172.17.206.3    172.17.206.1
    Vl207       0   120  P Active   local           172.17.207.3    172.17.207.1
    Vl208       0   120  P Active   local           172.17.208.3    172.17.208.1
    Vl209       0   120  P Active   local           172.17.209.3    172.17.209.1
    Vl210       0   120  P Active   local           172.17.210.3    172.17.210.1
    Vl211       0   120  P Active   local           172.17.211.3    172.17.211.1
    Vl212       0   120  P Active   local           172.17.212.3    172.17.212.1
    Vl213       0   120  P Active   local           172.17.213.3    172.17.213.1
    Vl214       0   120  P Active   local           172.17.214.3    172.17.214.1
    Vl215       0   120  P Active   local           172.17.215.3    172.17.215.1
    Vl216       0   120  P Active   local           172.17.216.3    172.17.216.1
    Vl217       0   120  P Active   local           172.17.217.3    172.17.217.1
    Vl218       0   120  P Active   local           172.17.218.3    172.17.218.1
    Vl219       0   120  P Active   local           172.17.219.3    172.17.219.1
    Vl220       0   120  P Active   local           172.17.220.3    172.17.220.1
    Vl221       0   120  P Active   local           172.17.221.3    172.17.221.1
    Vl222       0   120  P Active   local           172.17.222.3    172.17.222.1
    Vl223       0   120  P Active   local           172.17.223.3    172.17.223.1
    Vl224       0   120  P Active   local           172.17.224.3    172.17.224.1
    Vl225       0   120  P Active   local           172.17.225.3    172.17.225.1
    Vl226       0   120  P Active   local           172.17.226.3    172.17.226.1
    Vl227       0   120  P Active   local           172.17.227.3    172.17.227.1
    Vl228       0   120  P Active   local           172.17.228.3    172.17.228.1
    Vl250       0   120  P Active   local           172.17.250.3    172.17.250.1
    Vl402      0   120  P Active   local           10.20.0.3       10.20.0.1

    When you configure the virtual blade network interface card emulation in WAAS version 4.1.1c or 4.1.1d, you can select E1000 (an Intel E1000 NIC emulator) in addition to the rtl8139 and virtio emulators.
    For more information on mapping the Virtual -blade to the NIC, please follow up on this link:
    http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v411/release/notes/ws411rn.html#wp64158

  • Linear fit without professional version. Workarounds anyone?

    Hey, I'm trying to do some analysis and need to find the slope of a curve.  The drivers I have are trying to access the linear fit function but I don't have the pro version so I can't use it.  Anyone know of a free workaround VI possibly or any other solution?  
    Thanks

    Hi acolbourn
    The linear fit just implements the least squares algorithm, this is pretty simple. 
    You can read how this algorithm works here:
    http://en.wikipedia.org/wiki/Least_squares
    What parameters does the driver call the function with just X and Y as input, and best fit as output?
    Regards, 
    Anders Rohde

  • CSM: Sticky groups limitation (1..255)

    Hi,
    The number off total different STICKY GROUPS is limited to 255
    This limits directly the number off VSERVERS/SERVERFARMS.
    In case I have different serverfarms (and each different vserver maps to only 1 different serverfarm)
    AND I want them all to be sticky (for example based on source ip address), I will have to configure
    a different sticky group for each serverfarm.
    This limits the number off vservers/serverfarms also to the maximun number off sticky groups.
    (which is limited to 255)
    Correctly or can I bypass this issue?
    Thank you, Wim

    That's correct.
    You can use different form of stickyness that do not require a sticky group, like 'predictor hash'.
    Regards,
    Gilles.

  • Spotlight limitation, workaround?

    I like to archive email by dragging messages out of OS X Mail, and into folders on my hard drive. Oddly, this results in their content no longer being readable by Spotlight. The file name, which is the email’s “subject:” can still be indexed.
    Does anyone know of a way to get spotlight to see the content of these messages, outside of Mail? I know that I could save/export messages as RTFs or PDFs etc, but I like to keep email intact and in its native format. Thank you.

    Hello
    The workaround is: If you need approval for document created via DI API, you must program it to save the document as draft, and send the notification to the users using MessagesService object or Messages  object (you can choose, there are some differences, but the result is the same).
    Now when a document in draft state, and the user will issue it from draft to normal document, the system will join into the approval procedure.
    Regards
    János

  • Another DI API Limitation workaround needed

    Hi,
    We have an issue with transfering an Order Document into SBO using DI when Printing Layout are configured to be "fired"
    When entering a document using the graphical user interface, the pringint is launched correctly.
    When sending a document to SBO thru the DI API, no printing job is triggerred.
    I suppose that it is a DI API limitation...
    Am I right?
    If so, what is the best workaround to get these document printed...automatically if possible!
    Tnks!

    Hello,
    Basically this is not a limitation. DI API is a data interface api which used for data manipulation, and printing is belongs to application, not the SDK. The printing function is missing from SDK.
    By the way, from SDK the printing is not supported. What you can do:
    1. Issue the invoice via DI API,
    2. Open the Document Printing wizard
    3. run the printing of Invoices marked ony not printed (you will print out the invoices which are not printed)
    This is the suggested workaround for huge number of invoices to be printed. If you issue 1-2 invoices per day by DI API, you can  - issue the invoice via DI API, and use the GetNewObjectKey method to receive the docentry value
    - open the invoice  the SAP B1client
    - send the print event by Activating the print menu.
    - please note: here you must enter the number of copes by hand.
    Regars
    János

  • Group-By workaround for optimization

    This Group By is taken much more time than expected. Recent stats shows it took nearly 14 minutes. Is there any alternative/suggestion for it?
    select C.ekey,C.gid,A.ecd,B.pyear, SUM(A.rate) as sum_rate,SUM(A.hrs) AS sum_hrs, SUM(A.amt) as sum_amt
    from table_a A,table_b B, table_c C, table_d D,
    (SELECT fx_time_key time_key FROM dual) tk
    where to_char(D.end_date,'yyyy') = B.pyear
    AND C.time_key = tk.time_key
    AND C.eno = A.eno
    AND D.eno = A.eno
    AND D.cid = A.cid
    GROUP BY C.ekey,C.gid,A.ecd,B.pyear
    Message was edited by:
    joshuaa

    SELECT STATEMENT                           Cost = 740     
      SORT GROUP BY       
        MERGE JOIN CARTESIAN       
          TABLE ACCESS BY INDEX ROWID     table_c      
            NESTED LOOPS        
              HASH JOIN        
                HASH JOIN        
                  TABLE ACCESS FULL          table_b      
                  TABLE ACCESS FULL      table_d
                TABLE ACCESS FULL           table_a     
              INDEX RANGE SCAN           E_INDX      
          BUFFER SORT       
            TABLE ACCESS FULL DUAL      Could u make anything out of this?

  • Image lost in action, workaround anyone?

    Hi,
    I know this is a double post but I really want an answer to this so that I can move on.
    BufferedImage  BufImage = new Robot().createScreenCapture(screenRect);
                        int[] pixels = new int[1680*1050];
                   PixelGrabber pg = new PixelGrabber(BufImage, 0,0,1680, 1050, pixels, 0, 1680);
                   image = frm.createImage(new MemoryImageSource(1680,1050,pixels,0,1680));With this code the Image image doesn't go null but it can't be drawn to a JPanel in my test.
    But the same image (BufImage) can with this:
                            BufferedImage  BufImage = new Robot().createScreenCapture(screenRect);
                   image = (Image) BufImage;In the first example the image get lost somewhere, but why? I am extracting the pixel correctly, aren't I? I need to use both some kind of PixelGrabber and then I need to create an Image of the result.
    Can anyone help me clear this out, I'd really need to extract those pixel for an application.
    //Considerate

    I found the problem, I was creating the image with the wrong JComponent.
    Replacing the row
    image = frm.createImage(new MemoryImageSource(1680,1050,pixels,0,1680));with
    image = pan.createImage(new MemoryImageSource(1680,1050,pixels,0,1680));where pan is a JPanel instead of using the JFrame.
    Sorry for taking your time, and thanks to everyone who viewed this and gave time to try to figure it out.
    //Considerate

  • OfficeJet 4500 G510n-z WiFi Passphrase limitations/workaround needed

    First off, I'm an advanced user, please don't ask me if I've turned it off and back on ;-)
    My issue is that I can't enter my current WiFi passphrase since the symbol doesn't appear on the list when pressing *.  The character I'm trying to enter is a less than symbol "<".  This printer has been a total nightmare since day one and I refuse to change my passphrase to something less secure just to accomodate this thing's poor design, I would rather toss it in the garbage and buy an Epson printer...  Can anyone tell me if there is an alternative way to enter the passphrase, such as hooking the printer up via USB?
    This question was solved.
    View Solution.

    There are a couple of options:
    1. In the HP folder, run the "Printer setup and software" program to have your computer help the installation.  You will have to connect a USB cable temporarily during the process so the computer can communicate the network settings to the printer.  Make sure to NOT plug in the USB cable before the software asks.
    2. On the front of the printer, restore the network defaults.  On your computer connect to the ad hoc network that begins with "hp".  Get the printer IP address from the front of the printer and type it into a browser.  Go to the network tab and run the "Wireless Setup Wizard" there.
    Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
    I am employed by HP

  • 700 pixel limitation - can anyone help

    Hi,
    I want to create a website that's more than the 700 pixel templates the people who designed iWeb think we should be happy with. Anyone got any clues how to get round this?
    Have seen this topic answered elsewhere on here but unfortunately the solutions don't work for me - example: use the black or white or Formal template and delete everything on the page. Have tried this but unable to delete the placeholder which keeps everyhting a mere 700pixels wide.
    Any help really really appreciated.
    Graham.

    You can increase the page width with the Inspector/Page/Layout pane.;
    Click to view full size
    OT

Maybe you are looking for