Custom Active Directory Groups and User Names Setup

Overview:

Velocity by default uses specific Windows Groups and User names for application and SQL authentication. The two Active Directory Group names it uses are: “Velocity Users” and “Velocity Services”. There is also one Active Directory User: “VelocityServices”. Depending on the installation, these groups and user will either be in Active Directory, or they will be local to the Velocity server. Where the groups and user reside depends on whether:

  • Velocity and SQL are installed on the same computer, or

  • Velocity and SQL are installed on separate computers

When Velocity and SQL are installed on the same computer, the only group that is created on the domain controller is the Velocity Users group. The Velocity Services group and the VelocityServices user are local to the Velocity server.

When Velocity and SQL are installed on separate computers, both groups and the user are all located on the Active Directory Domain Controller.
There are instances when you will not want to use the default Velocity Users group, Velocity Services group, or VelocityServices user names. Government or other large organizations in particular often require the assignment of unique naming conventions for every unit or department within the organization.
To do this, you need to choose the Advanced Authentication option on the Application Network and Security screen while performing a Server installation.

The purpose of custom user and groups is to replace the defaults. Making sure the new names work before deleting the defaults is strongly recommended. Because every installation is different, make sure you review your existing default accounts to guarantee that the new accounts have equivalent rights and permissions.

This procedure should be performed by an IT professional thoroughly familiar with the intricacies of SQL Server database management and Windows Active Directory.


Based on your requirement follow the steps mentioned in either of the sections


Configuration Details:

This section explains how to create a new users group, service group, service user, and assigning members on the domain.

To create custom users and service groups for managing users and services

  1. Need to create two different groups, one for managing the custom users & another one for managing the custom services.

  2. Open Active Directory Users and Computers. Expand your local domain
    The Active Directory Users and Computers window appears:

     

  3. Right-click the Users folder (in the left pane) and select New ►Group.
    The New Object - Group dialog box appears:

     

  4. Enter the name of the group you want to use (instead of the Velocity Users Group), then click:

    • Group scope: Global

    • Group type: Security
      The dialog box now resembles this example:

       

  5. Click OK.
    The new users group appears in the Users folder.

  6. Follow steps 3 to 5 for creating another group for managing services (CustomVelServicesGrp).

  7. Right-click the new users group and select Properties, then click the Members tab.
    The Members tab is displayed. Add the Domain Administrator, Users who have access to Velocity, as a member by following the steps below.

     

  8. Click the Add button.
    The Select Users, Contacts, Computers, Service Accounts, or Groups dialog box appears:

     

  9. Click Locations and select this domain server’s location.

  10. Do one of these:

    • Enter the name of the object you are seeking and click Check Names. If the name is correctly entered, the name is underlined.

    • Click Advanced and in the Common Queues section, select a text string to find the required members. Click Find Now. All relevant users appear in the search results. Select one or more users.

       

  11. Click OK twice.
    The new users group with associated users appears in the Users folder.

     

To create a non-Velocity named user account for managing Velocity services:

  1. Open Active Directory Users and Computers. Expand your local domain
    The Active Directory Users and Computers window appears:

     

  2. Right-click the Users folder (in the left pane) and select New ►Users.
    The New Object - User dialog box appears:

     

  3. Enter the first name and last name and then a user logon name for the User and click next

     

  4. Type Password and Confirm Password, click Next.

     

  5. Click Finish.
    The new user appears in the Users folder.

     

  6. Right-click the new user services and select Properties, then click the Members tab
    The Members tab is displayed. Add the Domain Users and newly created service group (CustomVelServicesGrp) as members by following the steps below.

     

  7. Click the Add button.
    The Select Users, Contacts, Computers, Service Accounts, or Groups dialog box appears:

     

  8. Click Locations and select this domain server’s location.

  9. Do one of these:

    • Enter the name of the object you are seeking and click Check Names. If the name is correctly entered, the name is underlined.

    • Click Advanced and in the Common Queues section, select a text string to find the required members. Click Find Now. All relevant users appear in the search results. Select one or more users.

       

  10. Click OK twice.
    The new user services with associated users appear in the Users folder.

Back To Top

This section explains how to create a new services account and assign permissions to it on the local Velocity server, where the Velocity application is installed.

To create a new services account on the local Velocity server

  1. Right-click on This PC and select Manage.
    The Server Management screen appears.

  2. Click Tools to go to the Computer Management Window.

  3. Expand the System Tools to explore the Local Users and Groups.

  4. Expand Groups to explore the list of all groups.

  5. Right-click Administrator, select properties.

  6. Properties window appears. Select Members tab.

  7. Click on Add button to add domain\newservice (TESTDOMAIN\CustomVelServicesAcct) as a member by following the steps below,

  8. Click on the Member of tab, then click the Add... button. Add newly created service account, (CustomVelServicesAcct).
    The Select Users, Computers, Service Accounts, and Groups dialog appears:

     

  9. Click Locations and specify the local server, then click OK.

  10. For the ‘Enter the object names to select’ field, do one of these:

    • Enter Administrators and click Check Names. If the name is correctly entered, the name is underlined. Click OK twice.

    • Click Advanced... and in the Common Queues section, select a text string to find the administrators group. Click Find Now. All relevant groups appear in the ‘Search results’ window. Select the user you require. Click OK twice.

       

Back To Top

This section explains how to assign the necessary SQL logins, from the computer on your system that contains SQL Server and the Velocity database.

To assign a login for this new users group

  1. Open SQL Server.
    The Microsoft SQL Server Management Studio appears.

  2. Expand the Security folder, then right-click the Login folder and select New Login...
    The Login - New dialog appears:

     

  3. For the Login name, click Search.
    The Select User or Group dialog box appears.

     

  4. Click Object Types, select the Groups check box, and then click OK.

     

  5. Click Locations and select the domain server where the newly defined users group resides, then click OK.

  6. Do one of these:

    • Enter the users group name you are seeking and click Check Names. If the name is correctly entered, the name is underlined. Click OK.

    • Click Advanced and in the Common Queues section, select a text string to find the required group. Click Find Now. All relevant users groups appear in the ‘Search results’ pane. Select the one you want. Click OK.


      The users group appears in the ‘Login name’ field.

  7. Click Server Roles in the left pane.
    The Server Roles page appears

  8. Select the dbcreator, public and sysadmin checkboxes, as shown in this example:

     

  9. Click User Mapping in the left pane.
    The User Mappings page appears.

     

  10. Select the Velocity , msdb, and master check box in the top pane.

  11. In the Database role membership pane, check these members:

    • For Master: db_backupoperator and public.

    • For Velocity: db_backupoperator and public.

    • For msdb: public, SQLAgentOperatorRole, SQLAgentReaderRole, and SQLAgentUserRole.

  12. Click OK.

  13. Now repeat step 3 to 8 for assigning SQL Login access for the Services group (CustomVelServicesGrp).

  14. Select the Velocity , msdb, check box under User Mapping section.

  15. On the User Mapping page, check these memberships under User Mapping.

    • For Velocity: db_backupoperator and public.

    • For msdb: public, SQLAgentOperatorRole, SQLAgentReaderRole, and SQLAgentUserRole.

  16. Click OK.

Back To Top