Restricted Users && Xp_cmdshell
May 5, 2008
Scenario:
SQL Server 2005 SP2.
SQL Server has only Windows Authentication Mode.
SQL server 'xp_cmdshell' option has been disabled by surface area configuration.
A database 'CN01' has been created
I have created a schema 'Executables' that contains stored procedures to access data in 'CN01'.
I have create a database role 'db_procexecutor' with execution permission on schema 'Executables'.
I have created a group 'CN01-Users' in Active Directory.
I have created a login 'CN01-Users' wich has been asigned 'db_procexecutor' role in 'CN01' database.
Problem:
I want a user member of AD group 'CN01-Users' to execute a Stored Procedure in 'CN01' database, (in 'Executables' schema) wich needs access to 'xp_cmdshell' to write a file in OS through bcp command.
The following SP works only assigning 'sysadmin' role to 'CN01-Users'.
For security reasons, I don't want to assign 'sysadmin' role to 'CN01-Users', neither assign permissions on Master.
I want the SP to work in the security scenario described earlier.
Should I use procedure signing ? ... If so, please describe step by step.
Sample SP:
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE WITH OVERRIDE
exec xp_cmdshell 'bcp "SELECT Column FROM CN01.dbo.table" queryout C: able.txt -T -c'
EXEC sp_configure 'xp_cmdshell', 0
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE
Thank you !
Daniel PĂ©rez
Montevideo-Uruguay
View 7 Replies
ADVERTISEMENT
Jun 11, 2007
I am download backup of SQL database from server and I am restore database successful into my SQL Server Management Studio Express, but near name of database stay: (Restricted User) note!When I try use database offline for login into my control panel created by me it not work. After I create small new database with same tables login work! I am admin on my local PC. Any ideas why my restored database has note: "Restricted User"? This is bigger database and looks complicate transfer data from old to new database, but if someone have these examples it can help too
View 2 Replies
View Related
Jul 23, 2002
Hi all,
What is the syntax to set database to restricted user mode using SQL query analyzer?
View 2 Replies
View Related
Jan 5, 2006
Hi,
I have a problem.While creating login for a single table in a database we know the public role is given by default.
I have use to disabled all public priviledges by-
Use northwind
revoke all from public
executing through query Analyser.
And after creating a role named "reception" and giving the priviledges of "select' to customer table by ticking and assigning that role to the login I get my login.
But using that login When I login,I can use select to see customer table.
And except that nothing is allowed.
But when i write
use pubs
select * from sales
I get the entire results.
Plz suggest me a way to block everything except the "select" of customer table.
Thanks!!
Joydeep
View 1 Replies
View Related
Jan 15, 2008
Hello Everyone,
I appear to be doing something wrong. When I
set my Table for Unrestricted File Growth and
save it, When I go back and look at the settings
it is set back to restricted file growth.
It seems to me if you set any settings and apply
and/or save it. Should it not keep that setting.
Any advice would be great.
Thanks
View 1 Replies
View Related
Feb 27, 2008
We have "unrestricted" size of log file on model database, but for some reason, all newly created databases have "restricted" sizing.
After taking a look at this, it appears that SQL Server changes the "Unrestricted" file growth setting specified on the log file in the model database to "restricted to 2 TB". This size is the maximum allowed for log files by SQL Server 2005, so this means the settings are identical?
View 1 Replies
View Related
Mar 27, 2008
Just released small piece of software with SQL Compact Edition, version 3, dll files distributed with the application.
Now feedback from 2 people suffering an error message as follows:
SQL Mobile usage is restricted on this platform. To use SQL Mobile, you must install SQL Server 2005, Visual Studio 2005, or the Tablet PC SKU.
Both using XP under Admin accounts.
My own testing did throw up this error prior to release, but only when I tried to run the program as a Limited User. I was unable to find out why. Running the program under an Administrator account never produced this error message.
The test-bed was a fresh install of XP, SP 2, running within VMware. An Administrator account was set up. No development software was installed, nor anything to do with SQL. I tried to make it a clean environment to be used by a non-technical user.
Any insights would be most appreciated.
View 8 Replies
View Related
Jul 20, 2005
Access 97 SR 2 Front EndSQL Server 7.00.1063 Back EndWhen I attempt to relink the tables in my Access app. I am suddenlygetting this weird error message = "ODBC--Call Failed", followed by"[Microsoft][ODBC SQL Server Driver]Restricted Data Type AttributeViolation(#0)". This problem did not manifest last time I tried a fewweeks ago, and so far as I know there have been no software changessuch as Service Packs etc.The error occurs when attempting to link a view. Here is the scriptfor the tables and the view siipl_DoesNotWork:==================================CREATE TABLE [dbo].[tblBOMEntries] ([fldID] [int] IDENTITY (1, 1) NOT NULL ,[fldCMMPartID] [int] NULL ,[fldSIPartNo] [varchar] (20) NULL ,[fldDescription] [varchar] (50) NULL ,[fldQtyAssy] [int] NULL ,[fldItemNo] [int] NULL ,[fldOnIPL] [bit] NOT NULL ,[fldRefDesig] [text] NULL ,[fldParentID] [int] NULL ,[fldBOMLevel] [int] NULL ,[sys_ts] [timestamp] NULL ,[fldObsDate] [varchar] (15) NULL ,[fldEffDate] [varchar] (15) NULL ,[fldItemRevNo] [int] NULL ,[fldModNo] [varchar] (10) NULL ,[fldNewBOMFlag] [smallint] NOT NULL) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]GOCREATE TABLE [dbo].[tblCMMIndex] ([fldCMMPartID] [int] IDENTITY (1, 1) NOT NULL ,[fldMainDescription] [varchar] (50) NULL ,[fldSIPartNo] [varchar] (50) NULL ,[fldBOMRevision] [varchar] (5) NULL ,[fldBOMAttached] [bit] NOT NULL ,[fldBOMDate] [datetime] NULL ,[fldCMMID] [int] NULL ,[sys_ts] [timestamp] NULL ,[fldLink] [int] NULL ,[fldNewBOMRevision] [varchar] (5) NULL ,[fldNewBOMAttached] [bit] NOT NULL ,[fldNewBOMDate] [datetime] NULL ,[fldSiteID] [int] NULL) ON [PRIMARY]GOSET QUOTED_IDENTIFIER OFFGOSET ANSI_NULLS ONGOsetuser N'siipl'GOCREATE VIEW siipl.DoesNotWorkASSELECT dbo.tblBOMEntries.*,dbo.tblCMMIndex.fldCMMPartID AS Expr1FROM dbo.tblCMMIndex INNER JOINdbo.tblBOMEntries ONdbo.tblCMMIndex.fldCMMPartID = dbo.tblBOMEntries.fldCMMPartID================================However, if I create a new view based on exactly the same SQL asDoesNotWork I don't get the same error message:CREATE VIEW dbo.DoesWorkASSELECT dbo.tblBOMEntries.*, dbo.tblCMMIndex.fldCMMPartID AS Expr1FROM dbo.tblCMMIndex INNER JOINdbo.tblBOMEntries ONdbo.tblCMMIndex.fldCMMPartID = dbo.tblBOMEntries.fldCMMPartIDThe only difference that I can deduce between siipl.DoesNotWork anddbo.DoesWork is the ownership. Can that be the problem? If so, why?TIAEdward
View 1 Replies
View Related
Feb 7, 2008
How would I hide the sa account to be accessible under Logins for a restricted User in sql server 2005 and also other folders like Replication, Managment, etc need to be hidden too.
any idea,
thank,s
View 1 Replies
View Related
Jun 19, 2008
I restored a sql server database today. There is a problem though. In SQL server, right next to the name of the database are the words "Restricted User". Their seem to be some limitations on my access to this database now as I am not able to run some of my C# code against the database. How can I fix this in SQL server so that I am not a Restriced user.
Example of what I am talking about. In SQL server my database is named Gorlaz. Just to the left of this is a yellow Icon that represents the database "Gorlaz". For illustration purposes I will use the character "$" to substitute for the yellow database icon. So this is how it reads in SQL server management studio.
$Gorlaz(Restricted User)
View 3 Replies
View Related
Jun 27, 2015
Secondary replica database(setup in async mode) of AlwaysON went in "restricted mode" during weekly reindex operation.
So I have tried below steps
1) Executed following statement on the same secondary replica database where the issue exists
alter database <DBNAME> set multi_user with rollback immediate
but it failed with the error saying "The operation cannot be performed on database "dbname" because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group. ALTER DATABASE statement failed."
2) Primary database is multi_user but still tried following command on primary replia database(thinking it will replicate)
alter database <DBNAME> set multi_user
but no luck. The secondary alwaysON database shows (synchronizing) as the alwaysON is set in async mode but the command doesn't replicate across secondary
so we are left with the only option to re-setup alwaysON but I want to avoid it as database size is huge..
any other options or am I missing anything?
MCP,MCDBA(SQL 2000),MCTS(SQL 2005),MCITP(SQL 2005)
View 2 Replies
View Related
Jan 4, 2007
Hello--
We're running into an issue where analysts are having problems obtaining lift charts (via the Mining Accuracy Chart UI available in the Visual Studio Analysis Services project) and performing prediction (via the Mining Model Prediction UI).
The issue seems to be related to the underlying analyst security model. Note that this post is related to:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=924641&SiteID=1
Analysts that work on the same problem will only have access to:
- A sandbox relational database (which contains views into the same source database). The analyst is db_owner of the sandbox database, so she/he can create data transformations required, etc. The sandbox database contains views to the source database, but the analyst only has read-access to the specific data elements needed from the source DB. So, they are very restricted w.r.t. the source database, but are db_owners of their sandbox relational databases. Note that the analyst will connect to he database via Windows Authentication.
- An Analysis Services sandbox database to use for their modeling, etc. In this AS sandbox db, we've created a role called "Administrator" and checked the permissions: Full control (Administrator), Process database, and Read definition. The analyst's windows account is the "user" associated with this role.
Also, in this situation, the SQL Server 2005 Relational Engine and Analysis Services are running on a single machine. The goal of this security model is to provide analysts with the ability to work in their "workspaces" (both SQL and AS), but not to see other analysts work, etc.
Under this model, Analysts are able to deploy mining models when the Data Source object that points to their relational "sandbox" DB is set-up with "Impersonation Information" = "Use a specific user name and password", where the Analyst provides their domain account information.
But, when trying to build a lift chart using the same data source view objects that were used to successfully train the model, the following error is occurring consistently:
Window Title: "Loading Mining Accuracy Chart"
Window Text: "Failed to execute the query due to the following error: Execution of the managed stored rocedure GenerateLiftTableUsingDatasource failed with the following error: Exception has been thrown by the target of invocation. Either '<domain><login>' user does not have permission to access the '' object, or the object does not exist. Errors in the high-level relational engine. A connection could not be made to the data source specified in the query. Errors in the high-level relational engine. A connection could not be made to the data source specified in the query.."
Since the Analyst was able to build the model with her/his given '<domain><login>' credentials, it is puzzling why the lift chart is failing.
Thanks in advance for your help,
- Paul
View 3 Replies
View Related
Sep 22, 2007
Hello again,and thanx again -I now found something unexpected - that hopefully is the cause of myproblem? :In Man. studio security anmeldungen (engl. login names or users oraccounts or so?) right clicking on any user and properties, status
Quote:
View 1 Replies
View Related
Jul 28, 2015
We have an existing SSRS server, and have just created a new child domain. We'll be migrating users from the parent to the child, and want to add the users of that new domain with access to SSRS. In the parent domain they are able to access, but after migration with the child domain account, they cannot.
I have added the group CHILDDomain Users with a system user role on SSRS, and PARENTDomain Users was already there.
Is there any additional step I should/could take to get this active?
View 5 Replies
View Related
Mar 6, 2008
I have had this issue just pop up. I have local users who can connect fine, but my users that require connection by VPN cannot connect. I get the server not available or access denied error. I did confirm that the VPN'ers are connected to the network correctly and can see that their shares and mappings are correct. Any ideas? Thanking you all in advance!!
View 6 Replies
View Related
Sep 28, 2015
I am trying to revert back to Windows 7 after upgrading to Windows 10, however it will not let me and the following message occurs: "Remove new accounts.Before you can go back to a previous version of Windows, you'll need to remove any user accounts you added after the most recent upgrade. The accounts need to be completely removed, including their profiles.You created one account (NT SERVICEMSSQLSERVER) Go to Settings> Accounts> Other users to remove these accounts and then try again".However I did not create any new users and there are no other users listed in the Accounts section.
View 2 Replies
View Related
Apr 30, 2008
hi alli've got two tables called "webusers" (id, name, fk_country) and "countries" (id, name)
at the meantime, i've a search-page where i can fill a form to search users. in the dropdown to select the country i included an option which is called "all countries".
now the problem is: how can i make a stored procedure that makes a restriction to the fk_country depending on the submitted fk_country parameter?it should be something like
SELECT * FROM webusers(if @fk_country > 0, which is the value for "all countries"){ WHERE fk_country = @fk_country}
who has an idea how to solve this problem?
View 9 Replies
View Related
Nov 28, 2006
Hi Team,
In SQL Enterprise Manager, when we expand "Database -->Users", we see the
users there. When we expand "Security --> logins" we see the same users there.
Can you differentiate these two.
Thanks
Santhosh
View 1 Replies
View Related
May 22, 2015
I have two xml source and i need only left restricted data.
how can i perform left restricted join?
View 2 Replies
View Related
Nov 19, 2005
Greetings,VWD EE and other Tools do not have problems working O.K. on my machine, when I am logged-on as restricted(limited) user, both environment and local web server are functioning, and it was MS effort to do it right.BUT the Problem is, when I try to connect to database->new DB connection(either through vwd or management studio etc). I get an Error - which should be written to event log (according to msg) but it isn't - that I can't connect. I am sure that it is because NO SQL SERVER2005EXPRESS instance is running, which I think is the only prerequisite to have it work (I do not need sqlbrowser service I am doint local development).SQL2005express service is configured on MANUAL start. I can start it as administrator through SQL config manager, but it is not convienient and what I want. I need to start it ONLY as a developer user, I do not want it to be running all-the-time for everyuser using computer. It was congigured as Network Service logon, I tried Local Service logon, and I even tried configuring it to logon as -my developer user- account, e.g. with limited user name and his password.In every case I can't start the service as member of users group and this developer. Then I added limited user to SQL2005EXPRESS group. Still NO help, won't start either.My question is, If I want to start developing ADO2.NET application and I need to have running SQL2005Express instance as a develper, how can I start it? I think I do not have some rights to masterDB or something. Do it allways need to be running when computer starts? Isn't there any other way, to start it JUST when I think I start developing?I know of user-mode of accessing SQL2005express DBs, but it also assumes that SQL2005Express service is already running, what I am trying to prevent. I do not want to have it running for everyone who uses computer, just for someone who neeeds it.Any help explaining me the right way HOW TO SETUP WORKING ENVIRONMENT when developing as limited user welcome, I read the the documentations and haven't found the answers.THANK YOU !
View 1 Replies
View Related
Jun 4, 2008
I want to be able to list all users connected/logged in a specific database and disconnect them all or a certain user.
can this be done in SQL and if so how?
View 1 Replies
View Related
Sep 26, 2007
We are using Navision with SQL server 2003.
What kind of methods is there out there to reduce hwo often this happens?
View 10 Replies
View Related
May 15, 2001
Hello,
I am trying to create a directory containing the date and then copy all the files in the current directory to it.
If I run the T-SQL script found below within Query Analyser it works fine (directory is created and files are copied in to it).
But if I run it as SQL task within DTS, only the directory is created. The files are not copied in to it!?!
I thought it maybe a permissions problem, but the SQL Server/Agent account is a local administrator and has sysadmin role with SQL Server.
I would be grateful of any assistance in this problem.
Thanks in advance,
Chris.
SQL:
declare @directoryname varchar(200)
declare @doscmd varchar(255)
select @directoryname = 'e:Audit_table_archive' + rtrim(cast(day(getdate())as char)) + rtrim(cast(month(getdate())as char)) + rtrim(cast(year(getdate())as char))
select @doscmd = 'mkdir ' + @directoryname
exec master..xp_cmdshell @doscmd
select @doscmd = 'copy e:Audit_table_archive*.* e:Audit_table_archive' + rtrim(cast(day(getdate())as char)) + rtrim(cast(month(getdate())as char)) + rtrim(cast(year(getdate())as char)) + '*.*'
exec master..xp_cmdshell @doscmd
View 1 Replies
View Related
Jul 9, 2001
does anyone know how to execute a FTP command through sql server 7? I am creation a table and need to ftp the result set. I have it currently creation the table, turning it into a CSV txt file and placing it in a directory. I have to then manually ftp the txt file. I want to automate this process but I cant get the FTP command to execute throught the xp_cmdshell. It will work at the DOS prompt though so I know the syntax is correct. Any sugetsions would be appreciated.
-Nathan
View 2 Replies
View Related
Aug 10, 2001
hi everybody
My requirement is, I have to transfer database backup files from one server to another server to take tape backup. Generally in my backup folder there will be 4days backups. I want to schedule a job so that after database backed up, today’s backup file only copied to the other server. I wrote following code, upto xp_cmdshell every thing is working fine.
But xp_cmdshell statement is giving error. I have to use variable value with sp_cmdshell. Please give me the solution for this.
declare @year1 as varchar(4),@month1 as varchar(2),@day1 varchar(2),@filename varchar(40)
set @year1=ltrim(str(year(getdate())))
if month(getdate())<10
set @month1='0'+ltrim(str(month(getdate())))
else
set @month1=ltrim(str(month(getdate())))
if day(getdate())-1 <10
set @day1='0'+ltrim(str(day(getdate())-1))
else
set @day1=ltrim(str(day(getdate())-1))
set @filename='EMPTest_db_'+ @year1+@month1+@day1+'*.bak'
xp_cmdshell @a
thanks
Keerthi
View 1 Replies
View Related
Aug 17, 2001
I am trying to run a Visual Basic Script using the xp_cmdshell stored procedure. When I try to run the file, the MS Script Debugger application is started.
I run the script like this: "xp_cmdshell 'D:ScriptFilesSpaceMail.vbs'"
I can run it from the DOS prompt successfully, but not from Query Analyzer. Does anyone have any suggestions on how to prevent the MS Script Debugger from running?
Chris
View 1 Replies
View Related
Sep 7, 2001
Hi,
I am trying to run bcp with xp_cmdshell inside a trigger. Whenver I update table the server is hanging. It creates the file in specified location but of ZERO size and I cannot delete it unless I stop SQL server service.
The smae code runs from a stored procedure without any problem.
Can you pl tell me if there are any LIMITATIONS with xp_cmdshell and Trigger.
Thanks
sekhar
View 1 Replies
View Related
Apr 14, 2000
Hi!!!
Can someone help me?
How can I get the result of following execution in some stored procedure, and work with it:
exec xp_cmdshell 'dir c:'
Thanx in advance
Laert
View 1 Replies
View Related
Nov 1, 2000
Hi,
while using XP_cmdshell for renaming a file , can I concatenate the current date to the file?
Ramam
View 1 Replies
View Related
Nov 28, 2000
Hi,
What is best way to compare two files and get the most recent one using xp_cmdshell?
Thanks
TT
View 1 Replies
View Related
Nov 28, 2000
Hi,
I am trying to execute this command.
use master
exec xp_cmdshell..'dir estserverest_dataInventory_Files*.txt /b'
I am getting the following error..
output
------------------------------------------------------------------------------Logon failure: unknown user name or bad password.
I am logged on as 'sa' for that server.
Any suggestion on how to resolve this?
Thanks in advance.
View 1 Replies
View Related
Mar 8, 2000
Hai ,
I beleive this is simple question but I have problem using this command
I was trying to delete contents of a temp folder thru TSQL.
Correct me if wrong
For example
xp_cmdshell " del c:emp*.*"
This is leading me to prompt 'Are you sure to delete Y/N'.
How do I write a command to say Y.
I want to schedule this every week. Is there any other way to do this task
like using AT command ,etc.
Thank you in advance
Surya
View 1 Replies
View Related