| Author |
xp_cmdshell and system account
|
|
| Thanks 2005-08-30, 3:23 am |
| USE master
EXEC xp_cmdshell 'copy c:\sqldumps\pubs.dmp \\server2\backups\sq
ldumps',
NO_OUTPUT
I run above SP but did not work ... I have the right to access server2 but
the server2 running my command use of system account that is virtual and i
cannot grant it right ... how can I specific the server running the command
use of my account or a valid account ...
Executed as user: server2\SYSTEM.
| |
| Dan Guzman 2005-08-30, 3:23 am |
| xp_cmdshell runs under the security context of the SQL Server service
account when executed by sysadmin role members. For non-sysadmin users,
xp_cmdshell runs as the SQL Agent proxy account. You can't invoke
xp_cmdshell with a account other than these.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Thanks" <Thanks@discussions.microsoft.com> wrote in message
news:3099E781-04D2-4BA3-82F4- 4FB51BDAF37E@microso
ft.com...
> USE master
> EXEC xp_cmdshell 'copy c:\sqldumps\pubs.dmp \\server2\backups\sq
ldumps',
> NO_OUTPUT
>
> I run above SP but did not work ... I have the right to access server2 but
> the server2 running my command use of system account that is virtual and i
> cannot grant it right ... how can I specific the server running the
> command
> use of my account or a valid account ...
>
> Executed as user: server2\SYSTEM.
>
>
| |
| John Bell 2005-08-30, 3:23 am |
| Hi
As well as Dan's comments check that the files are not currently opened by
something else.
John
"Thanks" wrote:
> USE master
> EXEC xp_cmdshell 'copy c:\sqldumps\pubs.dmp \\server2\backups\sq
ldumps',
> NO_OUTPUT
>
> I run above SP but did not work ... I have the right to access server2 but
> the server2 running my command use of system account that is virtual and i
> cannot grant it right ... how can I specific the server running the command
> use of my account or a valid account ...
>
> Executed as user: server2\SYSTEM.
>
>
| |
| Thanks 2005-08-30, 7:23 am |
| Thanks for your answer. Actually, I am using administrator to run the
xp_cmdshell and the same situation occur. The xp_cmdshell runs as the sql
agent proxy account but not my adminstrator account. Can I specific the sql
server running the task with my administrator account? (NT2003 server, sql2K)
"Dan Guzman" wrote:
> xp_cmdshell runs under the security context of the SQL Server service
> account when executed by sysadmin role members. For non-sysadmin users,
> xp_cmdshell runs as the SQL Agent proxy account. You can't invoke
> xp_cmdshell with a account other than these.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> "Thanks" <Thanks@discussions.microsoft.com> wrote in message
> news:3099E781-04D2-4BA3-82F4- 4FB51BDAF37E@microso
ft.com...
>
>
>
| |
| Dan Guzman 2005-08-30, 9:23 am |
| > Executed as user: server2\SYSTEM.
It looks like your SQL Server service is running under the local system
account, which does not have access to network resources. In order for a
sysadmin role member to execute an xp_cmdshell command that uses network
resources, you'll need to run the SQL Server service under a domain account.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Thanks" <Thanks@discussions.microsoft.com> wrote in message
news:0EBCB462-22DE-4F88-AA33- E693B432C10F@microso
ft.com...[color=darkred]
> Thanks for your answer. Actually, I am using administrator to run the
> xp_cmdshell and the same situation occur. The xp_cmdshell runs as the sql
> agent proxy account but not my adminstrator account. Can I specific the
> sql
> server running the task with my administrator account? (NT2003 server,
> sql2K)
>
> "Dan Guzman" wrote:
>
| |
| Thanks 2005-08-31, 3:23 am |
| Note that our SQL server is automatically started when the Win 2003 server
is started, i.e. with the user localhost\SYSTEM. We thought about setting up
a dedicated user ID to start SQL server but we are really reluctant to do
that due to a number of reasons. What else could we do?
Much appreciate if you or anyone could shed some lights.
"Dan Guzman" wrote:
>
> It looks like your SQL Server service is running under the local system
> account, which does not have access to network resources. In order for a
> sysadmin role member to execute an xp_cmdshell command that uses network
> resources, you'll need to run the SQL Server service under a domain account.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> "Thanks" <Thanks@discussions.microsoft.com> wrote in message
> news:0EBCB462-22DE-4F88-AA33- E693B432C10F@microso
ft.com...
>
>
>
| |
| John Bell 2005-08-31, 3:23 am |
| Hi
Check out
http://msdn.microsoft.com/library/d...erview_6k1f.asp for the rights needed by these accounts.
What are your reasons not to use one?
John
"Thanks" wrote:
[color=darkred]
> Note that our SQL server is automatically started when the Win 2003 server
> is started, i.e. with the user localhost\SYSTEM. We thought about setting up
> a dedicated user ID to start SQL server but we are really reluctant to do
> that due to a number of reasons. What else could we do?
>
> Much appreciate if you or anyone could shed some lights.
>
> "Dan Guzman" wrote:
>
| |
| doller 2005-08-31, 7:23 am |
| Hi,
U need to have logon services rights on the server ur sql is running.
Or u should have administrative writes.
hope this helps u.
from
killer
| |
| Dan Guzman 2005-08-31, 9:23 am |
| You can create a domain account for your SQL Server service with the minimal
permissions needed in order to improve security. In addition to the rights
described in the link John posted, you'll need to grant the account the
needed permissions to the share.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Thanks" <Thanks@discussions.microsoft.com> wrote in message
news:E9620924-185F-4BD1-A6EF- 039F176F0E5E@microso
ft.com...[color=darkred]
> Note that our SQL server is automatically started when the Win 2003 server
> is started, i.e. with the user localhost\SYSTEM. We thought about setting
> up
> a dedicated user ID to start SQL server but we are really reluctant to do
> that due to a number of reasons. What else could we do?
>
> Much appreciate if you or anyone could shed some lights.
>
> "Dan Guzman" wrote:
>
|
|
|
|