Active Directory Service

Active Directory is a central component of the network architecture on certain Windows operating systems. Active Directory provides a directory service specifically designed for distributed networking environments.

This section describes the conceptual steps to configure PSQL in an environment that has Microsoft Active Directory service installed and functioning correctly.

Ensure that Active Directory service is installed and functioning correctly before you install PSQL into the environment.

Server and Client Support

PSQL Server runs on supported Windows Servers within an Active Directory environment. The PSQL client runs on all supported Windows platforms within an Active Directory environment.

Directory and File Permissions

The database engines enforce directory and file permissions set at the operating system level. An Active Directory environment does not change this behavior. For example, if you set “read only” permission on a PSQL table file, you will be unable to write to the table.

Microsoft Terminal Services Support

PSQL Server engines are supported for use with Microsoft Terminal Server running within an Active Directory environment. For more information about Terminal Services, see Terminal Services.

PSQL Administrative Authority

Active Directory service manages the security of the network. You must grant the correct access authority at the operating system level to users who need PSQL administrative privileges.

See Active Directory Tasks for the general steps to set access authority. Users must have the following authority on the machine running the database engine:

•

Log on locally

•

Administrator privileges or belong to the Pervasive_Admin group

You can grant the Log on locally authority directly to a user or to the Pervasive_Admin group (and add the user to the group).

You can create the Pervasive_Admin group on the machine running the database engine (the local machine), on the domain controller for the local machine, or on both. The database engine checks privileges first on the domain controller for the local machine then on the local machine.

An example helps illustrate this. Suppose you have two servers in your domain that run the PSQL database engine, Server A and Server B. You could create a Pervasive_Admin group on each server and on the domain controller. You then add User 1 to the group on Server A, User 2 to the group on Server B, and User 3 to the group on the domain controller. User 1 has administrative privileges for the database engine only on Server A. Similarly, User 2 has administrative privileges only on Server B. User 3, however, has administrative privileges for the database engines on both Server A and Server B.

If you create the Pervasive_Admin group on a domain controller, then the group must be a domain local group. If you create the Pervasive_Admin group on a machine that is not a domain controller, then the Pervasive_Admin group must be a local group.

Active Directory Tasks

Use the following steps to create a Pervasive_Admin group in Active Directory to grant users PSQL administrative privileges in a Windows environment. The steps assume that you are setting privileges on the domain controller for the machine running the database engine.

►

To add the Pervasive_Admin group as a default group policy

Create the Pervasive_Admin group on the domain controller for the domain of the machine running the database engine.

Specify Pervasive_Admin for the group name.

Set the group scope to Domain local. Do not use Global or Universal.

Add users to the Pervasive_Admin group.

Confirm that the users appear as members of the group.

Add the Pervasive_Admin group to the Log on locally privileges for the domain.

Note: If the Log on locally option is grayed out, skip step 6 and use the next task to continue administrative group setup as a local policy.

►

To add the Pervasive_Admin group as a local policy

These steps continue from step 5 in the previous task when you cannot use the Log on locally option in a group policy.

Click Start, enter gpmc.msc, and press Enter.

Double-click the name of the forest to open it.

Open Domains.

Open the name of the domain to which you want to join a computer.

Right-click Default Domain Controllers Policy and select Edit.

In the console tree, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select User Rights Assignment.

In the details pane, open Allow Logon Locally.

Confirm that Define these policy settings is selected.

Click Add User or Group.

Do one of the following:

•

Enter the user account to allow to log on locally.

•

Click Browse to find the account with the Select Users, Computers, or Groups dialog box.

Click OK in each dialog box until you have closed them all.