I have a user that has his Active Directory logon set to allow logging into a specific SQL Server, and that works fine. This user is also part of an AD Group that has access to a specific database on this server. However, this membership doesn't grant him access to that specific database. I have to give his AD logon access to the database separately.
Question: Is there a conflict when granting SQL Server access via a user's AD login, and also adding permissions to a specific database on the SQL Server by the user's membership in a specific AD group?
If there is anyway to set this up to work let me know.
Best Answer
You will have no problem doing what you have described. SQL Server security is designed intentionally to allow you to grant different permissions to a group and to a person in that group, and keep the two separated. They did this to address exactly the scenario that you are describing.
The only way that you would have a conflict is if you explicitly deny a permission. Then the deny would override any grant.