Does Xp_cmdshell Proxy Account Need Admin-level Permissions?
Oct 4, 2007
Re: SQL Server 2005
Does the xp_cmdshell proxy account need admin-level permissions on the server?
The reason I ask this is because I keep getting "Access is Denied" errors when trying to run this command as a non-admin:
master..xp_cmdshell dtexec 'some package'
The 'some package' has an "execute process task" which calls a batch file on the server.
If the proxy account is NOT a local admin, the "execute process tasks" fails with an "Access is Denied" error.
If the proxy account is a local admin, it executes fine.
We have given "Everyone" FULL CONTROL of all the folders that are affected by the batch file, and it still does not work.
I am out of ideas at this point. It just does not work unless it's an admin.
Are we missing something here?
View 7 Replies
ADVERTISEMENT
Mar 2, 2004
Hi all, i hope you can help me.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Can anyone help?
View 2 Replies
View Related
Apr 22, 2008
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
Any help will be much appreciated.
View 1 Replies
View Related
Nov 22, 2014
If you were to do a fresh install it would set permissions on the disk so everything just works.
Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?
View 1 Replies
View Related
Oct 3, 2007
I have a procedure which prepares a csv file on demand using xp_cmdshell to invoke bcp.
It works fine in sql server. In fact, I have setup a proxy account to run as the domain administrator so it should even work for limited sql server accounts.
When IIS 6.0 attempts to run the procedure, however, I get "xp_cmdshell failed to execute because current security context is not sysadmin and proxy acount is not setup correctly."
For some reason, IIS 6.0 is not able to assume proxy privileges.
Recently, the machine hosting IIS was promoted to a domain controller. Is this causing a problem? My suspicion is that the proxy account has to be a LOCAL user, and since DC's do not have local users, the proxy privileges are useless.
Anybody got any thoughts?
Thanks.
View 9 Replies
View Related
May 8, 2007
Hi Experts,
Is it possible to connect to SQL Server just using the SQL server agent's proxy account and access data ( without SQL management studio or SQL / Window authentication ). The proxy account is active only for SSIS package execution subsystem.
Thanks in advance,
DBLearner.
View 1 Replies
View Related
Aug 3, 2005
I'm trying to set a proxy account for the SQL agent. The user is Local
administrator on the SQL Server when I try to set the account I get a message back that says
"The system cannot find the path specified."
I get the same error with TSQL too.
EXEC master..xp_sqlagent_proxy_account
'SET', N'MY_DOMAIN', N'Myadm', N'MyPassword'
My system :
Windows Server 2003 SP1
SQL Server 2000 SP4
I am worried it might be interfering with someing.
Any ideas what paths it could be after?
View 5 Replies
View Related
Jan 14, 2015
I have a frustrating problem where I am using the Ola Hallengren jobs to backup to a network share. (This isn't something specific to his scripts).
For various reasons the SQL Server account can not be granted access to the share so I thought I would use a proxy account which does have access (this has been fully tested). I am using a CmdExec proxy.
The problem comes now that when I run the job it still thinks access is denied when running the xp_create_subdir command.
When I recreated this problem locally on my machine, as soon as I add the SQL Server account access to the share the backups work, so why isn't the job using the proxy account?
View 1 Replies
View Related
Oct 30, 2006
I am trying to run SSIS packages under SQL Server Agent 2005 and I keep getting a package failed error in the event viewer.
I've heard that I need to set up a proxy account. I have found the following code and need a little explanation on what all the parts mean since I am very new to this:
Use master
CREATE CREDENTIAL [MyCredential] WITH IDENTITY = 'yourdomainmyWindowAccount', secret = 'WindowLoginPassword'
Use msdb
Sp_add_proxy @proxy_name='MyProxy', @credential_name='MyCredential'
Sp_grant_login_to_proxy @login_name=' devlogin', @proxy_name='MyProxy'
Sp_grant_proxy_to_subsystem @proxy_name='MyProxy', @subsystem_name='SSIS'
Let's say for the sake of argument my domain is called CompanyInc and I log into windows with my name Philip_Jaques and my password is badpassw0rd. Would I modify the above code this way to create my proxy?
Use master
CREATE CREDENTIAL [MyCredential] WITH IDENTITY = 'CompanyIncPhilip_Jaques', secret = 'badpassw0rd'
Use msdb
Sp_add_proxy @proxy_name='MyProxy', @credential_name='MyCredential'
Sp_grant_login_to_proxy @login_name='Philip_Jaques', @proxy_name='MyProxy'
Sp_grant_proxy_to_subsystem @proxy_name='MyProxy', @subsystem_name='SSIS'
Also, when I create this proxy account where in SQL Server 2005 can I go to view it and its properties? And assuming I get the proxy account set up correctly, how do I get my current jobs to start using it so they will successfully run?
Thanks in advance for your help and advice!
View 2 Replies
View Related
Feb 14, 2008
There is one thing that€™s confusing me in creating a proxy account.
I am trying to get an SSIS package configured as a SQL Server job and execute it from a non-sysadmin login. But when I execute it gives the error message:
Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account. The step failed.
I know that we have to create a proxy account for this to happen and creating of proxy account prompts me to choose a credential, and that is where I do not understand the logic. From MS website I can find the following, but it is confusing to me
This proxy account must use a credential that lets SQL Server Agent run the job as the account that created the package or as an account that has the required permissions.
ref: http://support.microsoft.com/default.aspx?scid=kb;EN-US;918760
I tried reading all the related articles, but still the process of creating the credential is confusing to me, can someone throw some light on the logic of proxy/credential here?
Thanks
Satya
View 23 Replies
View Related
Jul 31, 2006
Hi,
because my package does not run with SQL-Server-Agent, but without problems if started by "hand", I created a new credential which contains the information needed for the package. I did this as described on: http://msdn2.microsoft.com/en-us/library/ms190703.aspx .
After that i tried to create an proxy account, but when I chose the created credential, Management Studio says "Der Proxy "[name_of_credential] ist kein gültiger Windows-Benutzer(Microsoft SQL Server, Fehler: 14529)". This means something like: "This Proxy is not a valid windows-user. Error: 14529".
Any hints how to use a credential that is not a windows-user?
Regards,
Jan Wagner
View 7 Replies
View Related
Feb 15, 2006
Hi,
I have an SSISS package running in a job step, the job is owned and has to be run by a non-sysdamin SQL login. I have created a new credential (windows autrhentication, sysadmin priviledges) , mapped it to proxies 'SSISS' and 'Operating systems (CmdExec)' and have assigned the job step to run as that credential. Yet I'm getting the following error message:
Unable to start execution of step 1 (reason: Error authenticating proxy DomainUserName, system error: Logon failure: unknown user name or bad password.). The step failed.
Does anyone know why this is?
Thanks
View 4 Replies
View Related
Jan 2, 2008
Hello,
I'm having trouble setting up PROXY account. I follow the documentation, and Under Credentials, I can only select Operator. Is there a way to select any account under Security?
Your help is appreciated!
View 3 Replies
View Related
Apr 26, 2007
Hi experts,
Is there any potential security threat using Proxy accounts in SQL Server 2005 ? If any , Please give URLs for reference.
Thanks,
DBLearner
View 3 Replies
View Related
Feb 5, 2008
Hello,
I am trying to create a job that runs a SSIS package. I am getting the following error:
Message
Unable to start execution of step 1 (reason: Error authenticating proxy domainsckeels, system error: Logon failure: unknown user name or bad password.). The step failed.
Our DBA ran the following to create the credentials and proxy account.
USE MSDB
CREATE CREDENTIAL [sckeels] WITH IDENTITY = 'domainsckeels', secret = 'sckeels_credentials'
GO
Sp_add_proxy @proxy_name='ssis_users', @credential_name='sckeels'
GO
Sp_grant_login_to_proxy @login_name='domainsckeels', @proxy_name='ssis_users'
GO
Sp_grant_proxy_to_subsystem @proxy_name='ssis_users', @subsystem_name='SSIS'
Any help with this would be appreciated.
Steven
View 7 Replies
View Related
Jul 12, 2007
I am trying to create a Proxy account to use for Job Scheduling, but when ever I add Logins to the Principals in the Proxy Properties and click OK, when I check again, they are not saved. Is there a reason why this happens? Is there an alternate way to add principals? Thanks.
View 2 Replies
View Related
Sep 18, 2007
Hi all,
I have a problem while i create a proxy account.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
View 5 Replies
View Related
Aug 15, 2007
Hi, I have the following setup:
- Win 2K Server, SP4
- SQL Srv 2K, SP4
- A 'DEV' domain, with an 'Administrator' account with all possible rights on the system
I need to configure a CmdExec proxy account in order to allow non-sys-admin users to execute the master.dbo.xp_CmdShell procedure.
When attempting to do this via QA as follows:
EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
N'DEV', -- agent_domain_name
N'Administrator', -- agent_username
N'password' -- agent_password
...I get the following error:
"The system cannot find the path specified."
When attempting to do this via QA as follows (note: only change is adding domain to agent_username arg):
EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
N'DEV', -- agent_domain_name
N'DEVAdministrator', -- agent_username
N'password' -- agent_password
...I get the following error:
"Error executing extended stored procedure: Specified user can not login"
I have tried this through Enterprise Manager and get identical results, of course.
I have also tried all of the following:
- different OS user accounts, including local system accounts with local admin rights;
- assigning the OS account to a SQL login with System Admin role/rights;
- specifically assigning the above SQL login with EXEC rights on the master.dbo.xp_CmdShell procedure;
- verifying local security policy settings, as per the following link: http://support.microsoft.com/?id=283811;
- pulling out my hair and banging my head against the wall.
Can anyone H E L P ? ! ! !
Thanks,
Joe
View 6 Replies
View Related
Sep 18, 2007
Hi all,
I have a problem while i create a proxy account in SQL Sever 2005.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
View 1 Replies
View Related
Apr 15, 2008
do sqlagent service account proxies need more than just permissions on the app databases being read from and written to in the executing ssis package?
it looks like there are some prep steps when a pkg is going to be run. In my case, the pkg comes from msdb which has it's own security roles. So will my proxies need "datareader" permission on msdb...in addition to datareader and datawriter permissions on the other databases the pkg reads/writes from/to?
are there other permissions/roles normally important to proxies used in getting ssis pkgs to run? Where are they set?
View 7 Replies
View Related
Jun 16, 2015
I running SSIS package job without sql agent , it is working fine.when i am running through sql agent not running.
created Proxy accountÂ
job failed and give above error.
Server is cluster and taking data from desktop.
server is in one domain and desktop in another domain.
View 3 Replies
View Related
Sep 18, 2007
Hi all,
I have a problem while i create a proxy account.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
View 2 Replies
View Related
Dec 17, 1999
Our system is MS SQL Server v7 and NT 4. We have a stored procedure that exec's xp_cmdshell to run an external program located on the server. When a user who has 'sa' rights runs this stored procedure it works fine. When a 'non-sa' user (via the "BuiltinUsers" NT account) runs it, xp_cmdshell produces the following error:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1385 from LogonUser on line 476
Is there an NT security or SQL Server setting I've overlooked that can be changed to allow non-sa users to xp_cmdshell programs?
n.b. The BuiltinUsers account does already have execute permission on the xp_cmdshell procedure.
View 3 Replies
View Related
Apr 16, 2015
I ran the Upgrade Adviser Report on a Server and it identifies the Proxy's as being deprecated.
What action is needed?
Object Type: ProxyObject Name: sa-apro-cms
Object Type: ProxyObject Name: sa-apro-payroll
Object Type: ProxyObject Name: sa-pi-sql-agent
View 0 Replies
View Related
Jan 26, 2007
Hi,
I have a least privileged SQL Login €œClient€? and have granted execute rights on XP_Cmdshell SP at master db. When I execute master.. XP_Cmdshell €˜dir€™ I€™m getting the below error.
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
Please note it is SQL Login account and not windows account. I have checked everywhere for similar problem and no luck.
Thanks for you help in advance
With regards
GK
View 1 Replies
View Related
Feb 10, 2005
Hey there,
I have a procedure that runs a PERL script through xp_cmdshell. The PERL script opens Excel and has Excel open a document so that it can parse through it.
When I run the PERL script directly from the command line, it works perfectly.
When I run it from xp_cmdshell I get the following error:
Win32::OLE(0.1502) error 0x800a03ec in METHOD/PROPERTYGET "Open" at c:perlexcelTestRead.pl line 10
Now I initially thought that this was a simple permissions problem, but the account that xp_cmdshell uses has full permissions on the directory the file's in and to the Excel application. Wierder still, I can use PERL to read and write files to my heart's content. I just can't use the OLE Excel object to open an Excel file.
Anyone encounter something like this before? I think the fact that it's PERL is coincidental. The issue is that I can't use the Win32 Excel.Application object to open Excel files when using xp_cmdshell to do so. Remember, this works when I run it from the command line.
Thanks for any help you can provide
Matt
View 3 Replies
View Related
Mar 6, 2008
Hi, I want to execute BCP in Query Analyser in SQL Server 2005 Express for that i surf on net and find that i should execute BCP under xp_cmdShell, That works good for addministritative account on SQL. But i want the working will be done by a non administrative account or non 'sa' user.How can i assign a non sa User permissions to execute xp_cmdShell? or just tell me any other alternative way to run BCP in Query Analyser or code behined. thanx
View 1 Replies
View Related
Jul 20, 2005
Is there any way to allow a user to use the xp_cmdshell extendedstored procedure without giving that user execute permissions toxp_cmdshell in SQL server 6.5? Let me clarify. Lets say I (as thedbo) create a stored procedure called sp_send_err:CREATE PROCEDURE sp_send_err @CompID varchar(20) ASdeclare @strCMD varchar(255)select @strCMD = "master.dbo.xp_cmdshell 'net send " + @CompID + """ERROR!""', no_output"execute (@strCMD)GONow lest say I give "user1" execute permissions on sp_send_err, but nopermissions on xp_cmdshell. When I run sp_send_error I get thefollowing error:"EXECUTE permission denied on object xp_cmdshell, database master,owner dbo".Why doesn't this work? What else can I do?
View 1 Replies
View Related
Jul 20, 2005
Hi allI have a stored procedure that has the lineEXEC master..xp_cmdshell 'dtsrun /Stestjob1 /N testdts /E'If I run the SP from an access front end as a trusted user or from ascheduled job it runs fine and exectues the dts.If I run the stored procedure using VB6 as a standard connection the dtsjobwont run. I get back Execute permissions denied on xp_cmd.. on databasemasterdb_connect_string = "Provider=SQLOLEDB.1;Persist Security Info=False;UserID=test_connect;PWD=pw1test;Initial Catalog=testdb;Data Source=" &database_name....Set cmd = New ADODB.Commandcmd.ActiveConnection = db_connect_stringcmd.CommandType = adCmdStoredProccmd.CommandText = "testStoredProcedure"cmd.ExecuteDo I need to give test_connect permisions to run the test stored procedure.I hoped that because the VB called a stored procedure and the connection hadpermissions to execute the SP then it would be the SP that called thexp_command....can anyone tell me the accepted way to do thismany thanksAndy
View 2 Replies
View Related
Mar 2, 2006
Hey everyone,
I apologize for the newbie question but I'm looking for the correct
answer. We have 4 production SQL servers at this time. When
we had originally set them up the "sa" account belonged to the domain
administrators group. Since we have a SQL admin team and a domain
admin team we would like to remove this privilege. Is this
something we can and should do? Our SQL servers use mixed mode
authentication and some databases are configured for Windows
authentication. I would appreciate any input from the community.
View 7 Replies
View Related
Jul 5, 2006
I have a bit of problem I was hoping someone could point me in the right direction. I have a SQL Server
2005 database which leverages both the Membership and Roles APIs. When I recreate
the database for production release, I simply run an sql file using the sqlcmd
utility - no problem. What I need is a way to add a default administrator role,
account and assign this new administrator to the administrator role.Can someone advise on how this is typically handled?
View 6 Replies
View Related
Oct 2, 2007
I just set up a SQL 2005 Server about a month ago that we will be moving all of our scattered DBs onto. I basically set it up with the default settings and didn't touch anything special, until I tried to install Microsoft System Center Essentials 2007 in our environment. I had problems getting it to use our SQL server, and a forum post told me to change all of the service accounts for SQL to use the LocalSystem login. So here are my service accounts:
SQL Server Integration Services
- NT AUTHORITYNetworkService
SQL Server FullText Search (MSSQLSERVER)
- LocalSystem
SQL Server (MSSQLSERVER)
- LocalSystem
SQL Server Analysis Services (MSSQLSERVER)
- LocalSystem
SQL Server Reporting Services (MSSQLSERVER)
- LocalSystem
SQL Server Browser
- LocalSystem
SQL Server Agent (MSSQLSERVER)
- LocalSystem
So Sandisk makes this software called CMC. It's for controlling their enterprise USB drives. And their software won't install. It errors out saying that it couldn't drop the database on our SQL server (but it doesn't exist). If I make an empty DB by the same name, it sees it, and then errors out anyway. I am using the SA login for testing (I was using a purposed SQL account before) so I don't think it's a rights issue. Sandisk says it should work, and they suggested I use SQL server express. But we run VMs, and running SQL server in another VM is going to use more of our memory pool. Plus we want centralized backups and all that.
Do my service account logins have anything to do with it? Can someone tell me what these should be set to by default so I can change them back?
Here's a trace I did when I tried to install the software:
-- network protocol: TCP/IP
set quoted_identifier on
set arithabort off
set numeric_roundabort off
set ansi_warnings on
set ansi_padding on
set ansi_nulls on
set concat_null_yields_null on
set cursor_close_on_commit off
set implicit_transactions off
set language us_english
set dateformat mdy
set datefirst 7
set transaction isolation level read committed
set implicit_transactions on
go
drop database [CruzerDb]
go
IF @@TRANCOUNT > 0 ROLLBACK TRAN
go
And here's more info if needed:
Product Version
- 9.00.3042.00
Edition
- Standard Edition
Server Collation
- SQL_Latin1_General_CP1_CI_AS
Is Clustered
- No
Is FullText Installed
- Yes
Is Integrated Security Only
- No
Is AWE Enabled
- No
# Processors (used by instance)
- 2
View 2 Replies
View Related
Jun 20, 2000
If someone can tell if it is wise change the SA account password after all of your databases have been set up using NT Authentication for login. Also, by using the sa password at login are you providing more security and and who should have access to that password (Your developers or your Administrators?)
Thanks
View 3 Replies
View Related
