Sensitive Accounts
Edit: It's the 'protected users' user group that's a problem, not the sensitive account checkbox. I updated the post but the same issue applies.
We have multiple domain accounts that are a member of the 'Protected Users' group and when we try to log in to a server with this account through 'Find by name (User Vault)' or 'My privileged account' (I haven't tried the others yet because these accounts shouldn't be shared), we get the following errormessage: 
But we are able to log on to a customer server in another domain with a user that has the same group membership. This also works with 'Find by name (User Vault)'.
I exported both connections and the export file look exactly the same except for the connection-specific values AND the way the credential is passed but I tested that (see line above)
Could it be that RDM connects differently when connecting to a machine that's in the same active directory domain as the RDM applicaiton?
Best regards,
Thomas
All Comments (9)
Hello,
What data source type do you use in your environnement?
Regards
David Hervieux
Hi David,
Thanks for responding. We're using SQL server 2019 Enterprise.
Best regards,
Thomas
Hello,
Do you use a custom user with SQL Server or the integrated security?
Regards
David Hervieux
That would be integrated security
Are you able to see in Data Source Information (File ribbone) if you have the same login?
Regards
David Hervieux
The user I am trying to log on with (the 'sensitive account') is not the same as the user listed in 'Data Source Information' (my normal user).
Hello,
Since it's not the same user, I think that the only solution is to use a runas with RDM.
https://kb.devolutions.net/rdm_running_rdm_as_another_user.html
Regards
David Hervieux
That's not an option. We use the three-tier admin model which prevents us from logging on to or starting applications on an end-user computer with a server administrator and certainly with a domain administrator which is also not allowed to log on to member servers.
Do you have any idea why we can log on to a customer server with a user that is member of the 'protected users' group in their domain?
Hello,
I have absolutely no idea why you can log in since you are using Integrated Security. This is handled by Windows directly.
Regards
David Hervieux