Problem In Executing Xp_cmdshell With Least Privileged SQL Login Account In SQL 2005
Jan 26, 2007
Hi,
I have a least privileged SQL Login €œClient€? and have granted execute rights on XP_Cmdshell SP at master db. When I execute master.. XP_Cmdshell €˜dir€™ I€™m getting the below error.
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
Please note it is SQL Login account and not windows account. I have checked everywhere for similar problem and no luck.
Thanks for you help in advance
With regards
GK
View 1 Replies
ADVERTISEMENT
Aug 10, 2006
Bummer. I can't remember the SA password. I had setup a user account, but I can't change anything or add any new accounts using this login. I can't get in using the windows authentication method no matter how I am logged into this machine.
Any suggestions? I have never been able to use Windows Authentication. There must be something I'm missing here. I have spent hours and hours trying to get into this machine. I just want to replicate a database. This is very frustrating.
Thanks guys.
View 3 Replies
View Related
Mar 2, 2004
Hi all, i hope you can help me.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Can anyone help?
View 2 Replies
View Related
Oct 14, 2004
Hi ,
I want to execute xp_cmdshell from normal sql server account not sysadmin member in SQL Server 2000. I had give execute privileges on xp_cmdshell to normal account... but its not working...
Is it possible to execute xp_cmdshell from non sysadmin member account in SQL Server2000...
Thanks in advance...
-Mohit.
View 1 Replies
View Related
Apr 22, 2008
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
Any help will be much appreciated.
View 1 Replies
View Related
Jan 11, 2008
Here is a post to the MSDN forums that I have not been able to resolve:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2663783&SiteID=1
Anyone here have any ideas?
View 6 Replies
View Related
Oct 1, 2007
I'm trying execute DTSX-package
Code Block
exec master..xp_cmdshell '"C:Program Files (x86)Microsoft SQL Server90DTSBinndtexec.exe" /FILE ...'
But have got error
Code Block
'C:Program' is not recognized as an internal or external command,
for some reason it doesn't work!
Or xp_cmdshell doesn't work with long filenames?
View 3 Replies
View Related
Dec 17, 1999
Our system is MS SQL Server v7 and NT 4. We have a stored procedure that exec's xp_cmdshell to run an external program located on the server. When a user who has 'sa' rights runs this stored procedure it works fine. When a 'non-sa' user (via the "BuiltinUsers" NT account) runs it, xp_cmdshell produces the following error:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1385 from LogonUser on line 476
Is there an NT security or SQL Server setting I've overlooked that can be changed to allow non-sa users to xp_cmdshell programs?
n.b. The BuiltinUsers account does already have execute permission on the xp_cmdshell procedure.
View 3 Replies
View Related
Oct 4, 2007
Re: SQL Server 2005
Does the xp_cmdshell proxy account need admin-level permissions on the server?
The reason I ask this is because I keep getting "Access is Denied" errors when trying to run this command as a non-admin:
master..xp_cmdshell dtexec 'some package'
The 'some package' has an "execute process task" which calls a batch file on the server.
If the proxy account is NOT a local admin, the "execute process tasks" fails with an "Access is Denied" error.
If the proxy account is a local admin, it executes fine.
We have given "Everyone" FULL CONTROL of all the folders that are affected by the batch file, and it still does not work.
I am out of ideas at this point. It just does not work unless it's an admin.
Are we missing something here?
View 7 Replies
View Related
Apr 25, 2007
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
- Larry
View 6 Replies
View Related
Oct 22, 2007
How can I execute an SSIS package from TSQL without using xp_cmdshell?
I have a web-app which calls some SQL which executes my SSIS package (a DTSX file, but stored in the server). But the security policy for my application won't permit me use to xp_cmdshell.
I want to do this:-
DECLARE @returncode int
EXEC @returncode = xp_cmdshell 'dtexec /sq pkgOne"'
Is there another way for executing a Package without going to the command line (e.g. is there some other system stored proc)?
Thanks
View 1 Replies
View Related
Jul 20, 2005
HelloI am trying to execute ‘xp_cmdshell' from within a DTS package thatwas created by another person. When I try to execute that ‘SQL Task'selectively from within the package, I get the following errormessage:Error Title: Package ErrorError Details:Error Source: Microsoft OLE DB Provider for SQL ServerError Description: xpsql.cpp: Error 87 from GetProxyAccount on line604Why is this error message popping up? When I create a new package(myself) and create an exact same SQL task as above and run it, theSQL task runs fine.Appreciate any help / feedback.Thanks in AdvanceJagannathan Santhanam
View 1 Replies
View Related
Oct 22, 2007
How can I execute an SSIS package from TSQL without using xp_cmdshell?
I have a web-app which calls some SQL which executes my SSIS package (a DTSX file, but stored in the server). But the security policy for my application won't permit me use to xp_cmdshell.
I want to do this:-
DECLARE @returncode int
EXEC @returncode = xp_cmdshell 'dtexec /sq pkgOne"'
Is there another way for executing a Package without going to the command line (e.g. is there some other system stored proc)?
Thanks
View 14 Replies
View Related
Feb 10, 2006
I have a package that executes fine in BIDS. However, when calling it using xp_cmdshell it cannot find the path to the source flat file. Anyone have any suggestions?
Here is the statement:
xp_cmdshell 'dtexec /SQ NatlAcctsImport /SER CR1-SQL-01 /CONN SourceConnectionFlatFile;Q:BINATNLACCTS'
Here is the result:
Microsoft (R) SQL Server Execute Package Utility
Version 9.00.1399.06 for 32-bit
Copyright (C) Microsoft Corp 1984-2005. All rights reserved.
NULL
Started: 9:50:56 AM
Progress: 2006-02-10 09:50:57.40
Source: Data Flow Task
Validating: 0% complete
End Progress
Progress: 2006-02-10 09:50:57.40
Source: Data Flow Task
Validating: 50% complete
End Progress
Progress: 2006-02-10 09:50:57.42
Source: Data Flow Task
Validating: 100% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Validating: 0% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Validating: 50% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Validating: 100% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Prepare for Execute: 0% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Prepare for Execute: 50% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Prepare for Execute: 100% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Pre-Execute: 0% complete
End Progress
Warning: 2006-02-10 09:50:57.43
Code: 0x80070003
Source: Data Flow Task Source - NATNLACCTS [1]
Description: The system cannot find the path specified.
End Warning
Error: 2006-02-10 09:50:57.43
Code: 0xC020200E
Source: Data Flow Task Source - NATNLACCTS [1]
Description: Cannot open the datafile "Q:BINATNLACCTS".
End Error
Error: 2006-02-10 09:50:57.43
Code: 0xC004701A
Source: Data Flow Task DTS.Pipeline
Description: component "Source - NATNLACCTS" (1) failed the pre-execute phase and returned error code 0xC020200E.
End Error
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Pre-Execute: 50% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Cleanup: 0% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Cleanup: 50% complete
End Progress
Progress: 2006-02-10 09:50:57.43
Source: Data Flow Task
Cleanup: 100% complete
End Progress
DTExec: The package execution returned DTSER_FAILURE (1).
Started: 9:50:56 AM
Finished: 9:50:57 AM
Elapsed: 0.985 seconds
NULL
View 3 Replies
View Related
May 12, 2008
I am getting the error:
Cannot open database "aspnetdb" requested by the login. The login failed.
When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003.
I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at.
My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions?
I'm using Windows Authentications with the SQL Role provider for authorization.
Thank you.
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role. Is that correct?
View 2 Replies
View Related
Jun 21, 2006
Hi everyone,
I have a simple question for you which is too important for me.
My question is about logins in my own(local) server.
I know that my local server(my computer's server) has to default login account which are called sa and BUILTIN/ADMINISTRATOR. While I am using my own server, I do not know which default login account is used by my Server since I use windows authentication while connecting to the Server.
Another question is that while adding new login account for my own Server, I noticed that there is a choice which is comprised of Grant and Deny for the Security. What is the meaning and usage of this ??
Thanks and Regards
View 25 Replies
View Related
Jul 20, 2005
I doing some testing with security and ran into the following problem.I want to log into the SQL server (from Query Analyzer) using mydomain account. To allow this, I went into Logins section inEnterprise Manager and added my user account as a Windows User.If I set Analyzer to use Windows authentication I am to log in with noproblems. But if it is set to SQL Server authentication and I type inmy username (in the format domainusername or username@domain) andpassword I get a login error.Is there a way to login in to SQL using domain account without usingwindows authentication?Thanks,Jason
View 2 Replies
View Related
Mar 20, 2007
Hi everybody !!!
I have SQLServer 2005 installed and I think a login account is corrupted because Im not able to connect to a database. I get an Timeout expiration error after I clicked on Login Properties or when I try to make a connection to SQLServer 2005 using that login account. Also I cannot review the script needed to create the login, but I do can review the database user properties mapped to this login account.
Is there a way to recreate or repair a login account??
The only solution I have right now is create another login accout, but this involves to modify database connection properties within my code.
Any help, comment or suggestion is really appreciated.
Thans a lot.
View 1 Replies
View Related
Mar 20, 2007
Hi everybody !!!
I have SQLServer 2005 installed and I think a login account is corrupted because Im not able to connect to a database. I get an Timeout expiration error after I clicked on Login Properties or when I try to make a connection to SQLServer 2005 using that login account. Also I cannot review the script needed to create the login, but I do can review the database user properties mapped to this login account.
Is there a way to recreate or repair a login account??
The only solution I have right now is create another login accout, but this involves to modify database connection properties within my code.
Any help, comment or suggestion is really appreciated.
Thans a lot.
View 1 Replies
View Related
May 22, 2008
I need to change the login name for the dbo account on several databases to the SQL sa name instead of using a Windows authentication domain name. I haven't been able to find a way to make this change.
View 6 Replies
View Related
Jun 1, 2006
In SQL 2000 I use to be able to grant a computer account access to a SQL DB by adding that computer account to the SQL Logins using DOMAINCOMPUTERNAME$. I have not been able to do this so far in SQL 2005.
Does anyone know if this is still possible or has this functionality been removed from 2005?
View 4 Replies
View Related
Aug 14, 2007
Hi everyone,
Is there any limitation in number of accesses for a sql login account?
For example, I use one sql login account to connect between the website and db. Since I changed web server to window 2003. I got error message saying SQL Server does not exist or access denied.
I then created another sql account instead of only one login account. now the website is running fine and faster than before.
I really don't understand it. Can anyone please explain it?
Thanks in advance!
View 6 Replies
View Related
Oct 25, 2007
Hey Everyone,
I am testing restoring databases on another SQL 2005 server in out environment using HP data protector 5.5 and its great. However, I notice that the security login accounts do not get restored. If this is the case how do I go about getting accounts restored? Also, are there any other options?
Cheers,
Mark
View 3 Replies
View Related
Mar 8, 1999
I'm developing a client-server application using Visual Basic and SQL Server
6.5 for 700 users. The application currently requires users to login to the
database using their network account (via trusted connections). Each of the
users takes up a maximum of 6 connections. Unfortunately, other
considerations will force us to discard use of trusted connections. So it
only leaves us either to create 700 user accounts on SQL Server separately
from their network logins or to create one SQL Server account and everybody
uses that same account to login to the database. For political reasons, the
customer would prefer not to ask their support group to maintain 700 user
accounts on SQL Server if it can be avoided.
My question: is there any technical limitation or other negative consequence
of having 700 users login to the same account to SQL Server if SQL Server
can handle that many connections (it would be 6*700 = 4200 connections)
simultaneously? Are we supposed to do things like this? It seems that we
don’t have better choice than this.
View 1 Replies
View Related
Jul 25, 2007
I have a SQL 2k5 ent. 64 bit on Windows 2003 Ent x64 edition.
The sql server was running fine under localsystem account. Recently I changed the service account to a local user (part of users group in windows) and implemented permissions according to KB article 283811. (have imlpemented the same on many other sql servers without issue).
However, the SQL services are not starting up and I am seeing the following errors in the errorlog.
===================
2007-07-25 12:36:55.90 spid11s Server name is 'HBCARPROD'. This is an informational message only. No user action is required.
2007-07-25 12:36:55.90 spid13s Starting up database 'model'.
2007-07-25 12:36:55.90 Server Error: 17182, Severity: 16, State: 1.
2007-07-25 12:36:55.90 Server TDSSNIClient initialization failed with error 0x5, status code 0x51.
2007-07-25 12:36:55.90 Server Error: 17182, Severity: 16, State: 1.
2007-07-25 12:36:55.90 Server TDSSNIClient initialization failed with error 0x5, status code 0x1.
2007-07-25 12:36:55.90 Server Error: 17826, Severity: 18, State: 3.
2007-07-25 12:36:55.90 Server Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2007-07-25 12:36:55.90 Server Error: 17120, Severity: 16, State: 1.
2007-07-25 12:36:55.90 Server SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
====================================
I have gone through the http://blogs.msdn.com/sql_protocols but everything mentioned here seems to be there. I understand this is some permission issue. Just not able to find it out. Can anybody help?
View 5 Replies
View Related
Nov 21, 2007
Dear All,
I currently installed visual studio 2005. So together it als install sql server express. So then I install the sql server management studio express too. So the problem now I want to do is run asp.net pages. I want to know how to create a local account with my own password. Because now I can only login using default windows authentication so how can I create an account with for sql server authentication ? Another question is that for the server address in my asp.net page what must I write localhost or the name shown in the server name text box while logging in. Thanks.
View 4 Replies
View Related
May 13, 2008
Hi all,
I want some low privileged users to get access to some systems Stored procedure and other resources.What is wrong with the below code ?
--Login as 'domainadministrator', a privileged user
Code Snippet
Create Proc ExecCmd(@cmd nVarchar(4000)) with execute as 'domainadministrator'
AS
Begin
EXECUTE (@cmd)
End
Command(s) completed successfully.
GRANT IMPERSONATE ON USER::[domainadministrator] to appusers
Command(s) completed successfully.
Grant execute on ExecCmd to appusers
Command(s) completed successfully.
But When I login as appusers, and run the procedure I am getting this error
Code Snippet
ExecCmd 'xp_cmdshell ''DIR C'''
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'
Thanks in advance,
Sanoj
View 1 Replies
View Related
Dec 6, 2007
I would like to write code to delete and add a SQL Login to every User database on my development server.
Whenever I restore databases to dev using production backups the SQl Server logins are invalid and I need to delete them from the user database and add them again.
I've already hard-coded a sql server job with n steps... a step for each user database to drop and add this sql user to each database. This isn't optimal since I have to add or delete a step everytime a user database is added or deleted.
Does anyone know how to write a loop or cursor that does this dynamically?
I am doing something syntactically wrong related to the GO statement.
declare @db varchar(100)
declare @message varchar(3000)
DECLARE user_cursor CURSOR FOR
SELECT top 1 name
FROM master.sys.databases
where name not in
('master','tempdb','model','msdb')
OPEN user_cursor
FETCH NEXT FROM user_cursor INTO @db
WHILE @@FETCH_STATUS = 0
BEGIN
SELECT @message = 'use '+@db + '
GO'
+'DROP USER [SQLLogin.DataEntry]
CREATE USER [SQLLogin.DataEntry] FOR LOGIN [SQLLogin.DataEntry]
EXEC sp_addrolemember N''db_datareader'', N''SQLLogin.DataEntry''
GO
'
execute @message
print @message
FETCH NEXT FROM user_cursor INTO @db
END
CLOSE user_cursor
DEALLOCATE user_cursor
View 3 Replies
View Related
Oct 11, 2007
the password of sa account is empt
I use "sqlcmd -S servername -U sa " command but failed
any suggestions?
thanks
View 8 Replies
View Related
Apr 3, 2008
Hi All,
I have a sql server database user with Password must change, and I get this error when i use ODBC connection wizard,
18488
Login failed for user '%.*ls'. Reason: The password of the account must be changed.
where would the windows shows up to change it similary we do when we connect through Management studio and provide new password.
Any idea.
View 3 Replies
View Related
May 5, 2008
Any idea why this happened and what do i have to do to reslove it?
Code Snippet
Login failed for user 'dd_user'. Reason: The password of the account must be changed.
View 1 Replies
View Related
Jan 5, 2006
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
View 6 Replies
View Related
Jul 27, 2006
I notice when I copy an SSIS package 'A' to a new package 'B', the new package 'B' will generate a "login failed for user" message in the data flow components. To copy I "save copy of Package 'A' as."
Some config info:
Package ProtectionLevel = EncryptSensitiveWithPassword
Connections are Data Sources
Connection strings with password are stored using PackageConfigurations to an SQLServer table. I've verified Package 'A' is in fact using the config table (e.g. it is not using a password or user stored in the package)
Data connectios are all SQLServer Native OLE DB Client
The account is an SQLServer account (not integrated security)
The original Package 'A' works flawlessly and I get success when I test the connections in Package 'B'.
But executing package 'B' I get: The error message I get is: [Connection manager "MyConnection"] Error: An OLE DB error has occurred. Error code: 0x80040E4D. An OLE DB record is available. Source: "Microsoft SQL Native Client" Hresult: 0x80040E4D Description: "Login failed for user 'dwuser'.".
Does anyone know why this would occur and/or how to work around it? I saw another thread where a potential workaround is to create a new data flow task and copy all the data flow components to that task. That won't work well for us because the data flow is moderately complex and when you copy and paste it, SSIS completely re-orders the layout.
This is a typical data warehouse ETL setup where there is a master package that executes child packages (e.g. 'A', and 'B' mentioned above) that each perform the ETL for a specific dimension or fact table.
Thanks for any help,
Lee Cascio
View 3 Replies
View Related