XP_CMDSHELL access denied when accessing shared location

  • Ranga_CDS

    Old Hand

    Points: 391

    Hi ,

    When try to access or create a file in shared UNC path with full rights, I m getting access denied message.

    I supposed to give a command in Query analyser like

    EXEC

    xp_cmdshell '@ECHO hi! > \\myservername\sharedlocation\hi.txt'

    But I m getting the access denied message. I have enabled Xp_Cmdshell in server area configuration too.

    Kindly guide me how to proceed.

    Thanks

    Ranga

  • Silverfox

    SSC-Insane

    Points: 23150

    Ranga_CDS (10/26/2009)


    Hi ,

    When try to access or create a file in shared UNC path with full rights, I m getting access denied message.

    I supposed to give a command in Query analyser like

    EXEC

    xp_cmdshell '@ECHO hi! > \\myservername\sharedlocation\hi.txt'

    But I m getting the access denied message. I have enabled Xp_Cmdshell in server area configuration too.

    Kindly guide me how to proceed.

    Thanks

    Ranga

    What account are you using when running xp_cmdshell and does that account have full rights to that share/unc path.

    --------------------------------------------------------------------------------------
    [highlight]Recommended Articles on How to help us help you and[/highlight]
    [highlight]solve commonly asked questions[/highlight]

    Forum Etiquette: How to post data/code on a forum to get the best help by Jeff Moden[/url]
    Managing Transaction Logs by Gail Shaw[/url]
    How to post Performance problems by Gail Shaw[/url]
    Help, my database is corrupt. Now what? by Gail Shaw[/url]

  • Ranga_CDS

    Old Hand

    Points: 391

    Hi

    I have tried logging in using Windows authentication , as well as , sa login. Both gave the same Access denied message.

    Also I have provided full rights.

  • Lowell

    SSC Guru

    Points: 323398

    Ranga it doesn't matter which account YOU logged in with.

    when SQL server tries to access anything outside of the SQL instance(xp_cmdshell, files/folders/, network shares, anything outside of it's own databases)

    it uses it's own startup account to do it. it's THAT account that has to have permissions to browse to network services...most likely, right now it does not.

    Go to Control Panel/Administrative Tools>>Services>> find the instance of SQL server you are referencing:

    the account shown here most likely needs to be changes from local account to an admin account that would have permissions to login to your domain, and browse to shares.

    if you change that to yourt own domain login and password, for example, you'd see it starts working the way you expect. I've always created a new network administrator called "SQLAdmin", with a known password, and used THAT account to run all the SQL services. Others may have better suggestions than mine, but that's what you need to change.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Ranga_CDS

    Old Hand

    Points: 391

    Hi

    Thanks for the reply.

    I got the issue fixed by the same way you have proposed. Thanks a lot for the valuable suggestion. Meanwhile I would like the add a point, I tried the same suggestion given by you but still I got the same issue after that I synced the user name ie Server A have a user name SQLADMIN and also Server B must have the same user name SQLADMIN. This way I have fixed the issue.

    Correct me if I have gone some thing wrong. Thanks in advance.

    Ranga

  • nick.mcdermaid

    Hall of Fame

    Points: 3779

    That would indicate that the server A and B are not on the same domain.

  • Ranga_CDS

    Old Hand

    Points: 391

    Yes, you are right my servers are not in domain. They are under same workgroup.

  • Michael_O

    Ten Centuries

    Points: 1244

    Lowell - Monday, October 26, 2009 6:51 AM

    Ranga it doesn't matter which account YOU logged in with.when SQL server tries to access anything outside of the SQL instance(xp_cmdshell, files/folders/, network shares, anything outside of it's own databases)it uses it's own startup account to do it. it's THAT account that has to have permissions to browse to network services...most likely, right now it does not. Go to Control Panel/Administrative Tools>>Services>> find the instance of SQL server you are referencing:the account shown here most likely needs to be changes from local account to an admin account that would have permissions to login to your domain, and browse to shares.if you change that to yourt own domain login and password, for example, you'd see it starts working the way you expect. I've always created a new network administrator called "SQLAdmin", with a known password, and used THAT account to run all the SQL services. Others may have better suggestions than mine, but that's what you need to change.

    So I've been screaming on top of my voice for a week saying " i have SA in SQL Server and i also have full control rights on the fileshare!! why in heavens name will this not work!!!". Other stuff i found online did not help and i even made sad faces lol then your post from 8 years ago came along and rescued me. It was even trickier in my case cos i had thought the agent service account was what needed full priv on the fileshare but that did not also work until i have just added SQL Server startup account and my file copied over like magic. Thank you Lowell!

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply