July 12, 2005 at 8:27 pm
I am trying to configure SQL so that a user without admin privileges can execute xp_cmdshell.
I understand I needed to do the following:
---------------
use master
EXEC msdb..sp_set_sqlagent_properties @sysadmin_only = 0
EXEC master..xp_sqlagent_proxy_account N'SET'
, N'domain'
, N'proxyuser'
, N'password'
exec sp_grantdbaccess 'domain\testUSR', 'testUSR'
grant exec on xp_cmdshell to testUSR
---------------
but EXEC master..xp_sqlagent_proxy_account
gives me the following error:
"Error executing extended stored procedure: Specified user can not login"
- The SQL Server Agent Service Startup account is domain\Administrator
- I've tried configuring a proxyuser with admin privileges as well as one without admin privileges and I get the same result.
- I unselected the checkbox 'Only users with sysadmin privileges under SQL Enterprise Manager - SQL Server Agent - Properties - Job System
- I am running SQL SP3a
- @@VERSION is
Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
Any ideas would be appreciated
July 25, 2005 at 5:35 pm
Does your domain testUser have a local account in the SQL server instance?
I am trying to do something similar. I have gotten what you are describing to work, however I want to grant execute access to xp_cmdshell to a local SQL login which has no other presense on the domain. Any ideas would be appreciated.
July 26, 2005 at 6:55 am
This xp is ONLY executable by:
1. A user/group (domain or SQL) that is a member of the sysadmin group
2. Service Startup Account for SQL Server Agent on the Server. In the server's management folder in Enterprise Manager, right click on SQL Server Agent and select properties. On the General tab in the Service Startup Account section, whatever account is configured here will run the xps when the user/group is NOT a member of the sysadmin group (provided also that this group is granted EXEC rights to the particular xp to be executed).
June 19, 2006 at 9:54 am
I've been getting the same mistake while trying to configure the SQL Agent proxy account to enable non-sysadmin users to execute xp_cmdshell.
Here`s my scenario: I've configured SQL Server 2000 in a Windows 2003 cluster enviroment. Since we don't have and Active Directory Domain, I was forced to configure both cluster nodes as Domain Controllers. MSSQLServer service is configured to run under a domain account that has administrative privileges in the domain (which makes it sysadmin), as well as SQL Server Agent (same account for both).
I've checked numerous post in this and other forums dealing with this problem, and I've tried everything that was suggested. I even found a closed thread stating that the problem was solved by changing the MSSQLServer service account through Enterprise Manager to another account and then getting back to the original account, but unluckly it didn't work for me  ...
...
I would really appreciate your help on this since the xp_cmdshell procedure is invoked by a trigger that deals with a external interface that is accessed by ALL the applications in our infrastructure and I obviously CAN NOT assign sysadmin privileges to all application logins.
Thanks in advance,
Raúl Peña.
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply