Question Status

Unanswered
Richard Campos asked a question on 26 Dec 2008 8:48 AM

Hello Everyone

Plz I need to know which are appropriate user privileges for install
Microsoft Dynamics GP Utilities?

The Installation documention said "enter a system administrator user ID and
Password", which are the appropriate privileges that a user account must to
have in the SQL Server whether ?

Thanks for advance :)

Reply
Michael Marinaro responded on 28 Dec 2008 3:49 PM

Hi Richard,

 I'm assuming that you mean which user you need to use to run Dynamics GP Utilities to create companies and complete the installation of Dynamics GP.  Typically you would login to Dynamics GP Utilites using the 'sa' user on the SQL Server.  The user you log in as must have the rights to create databases and administer security on the SQL Server.  After you have created companies, you can user the DYNSA user to administer security and create users inside of Dynamics GP. 

 Hope this helps!

Mike

 

Michael Marinaro, CPA, MCP
Reply
Orgs responded on 23 Aug 2009 9:44 AM

Thanks Mike... I have been swearing for the past 2 hours at my screen (never very productive)... 

I am amazed at the answer though ... in the GP Installation Instructions manual it states "In the Welcome to Microsoft Dynamics GP Utlitlies window, verify the server name, and enter the system administrator user ID and password; then click OK.".....

At which stage or anywhere else in any manual does it say it has to be the SQL database "sa" user account... any DBA that knows what they are doing will lock the sa account down the moment they install SQL.

Once I found your reply I could at least move forward... but it would appear from the past 30 minutes that it has to be "sa" and not some other account (I tried all of my high level accounts and they didnt work, it was reporting a password mismatch, which I know cannot be the case as I reset one account to only have the letter "a" as the password).

Just in case someone else has this problem and then finds they cannot reenable the sa account do a search on "Cannot set a credential for principal 'sa'. (SQL Server 2005/2008)"....

Thanks Mike for saving many more hours of frustration.

Chris

Reply
Michael Marinaro responded on 23 Aug 2009 10:21 PM

Hi Chris,

Glad I was able to help.  The reason that you aren't able to use any other login other than 'sa' is that GP and GP Utilities 'encrypts' (for lack of a better term) the password entered in the front end app that is passed to the server.  This prevents a user from using their GP username and password to access the database directly.  If you enter any user id other than 'sa' including 'DYNSA', the password will be changed before it reaches the server and you will receive an invalid password error. 

 As a DBA, I completely agree with the 'sa' security risk however I typically have my client use a separate instance of SQL Server exclusively for GP so that the risk is minimized.  Once GP Utilities is run for the first time (at which time the DYNSA account is created), you can safely disable the 'sa' account assuming of course you've setup another account with similar rights since you cannot log onto the SQL Server instance directly with the DYNSA account.

Thanks,
Mike

 

Michael Marinaro, CPA, MCP
Reply
Mariano Gomez responded on 24 Aug 2009 12:55 PM

Chris,

"sa" is required because Dynamics Utilities are designed for systems administrators, not end users. With Dynamics Utilities you can perform tasks such as create new company databases, verify and apply new service packs, run table and stored procedure creation routines for new application add-ons, among other things. All these tasks are certainly not in the domain of an end-user, and require dbo rights on your database server.

Best regards,

MG.-
Mariano Gomez, MIS, MVP, MCP, PMP
IntellPartners, LLC
Blog: http://dynamicsgpblogster.blogspot.com

Reply
Orgs responded on 24 Aug 2009 1:10 PM

Mariano,

I fully understand that installing GP is not an end user task. I may argue that you also shouldn't need to have a DBA to create a company, is that not a up to the finance team, but that aside, my issue was more that you HAVE to use the "sa" account which no self respecting DBA would have leave available.

In all our SQL installations we have a number of accounts that are for DBAs, they have sysadmin rights, so why cannot GP use one of those... I am sure there is a good technical reason, but I guess my biggest issue is why this is not made clear in the documentation ...

Anyway I now have the system installed and I guess this is where the fun will begin as we have been asked to integrate our web based document management system to be accessed from Dynamics GP…

Many thanks.. Chris

Reply