Local System Account on a share on different machine
-
Hi all,
I want to take my backups to a shared folder on a different location, But i could not.
First i added my sql server machine local system account as COMP1$ to the sharing securities and also to the permissions. Because in my SQL Server Computer (COMP2), SQL Services start with this account.
But, While i am taking backup, i get ACCESS DENIED error.
Second Case, When I restart My SQL Server Services on COMP2 with a domain account and give permissions to the this domain account on SHARED LOCATION(on COMP1). It succeeded.
Where am i doing error?
Is syntax wrong while adding COMP1 Computer Local System Account as COMP1$ ?
Now, Adding COMP2's Local system Account is preferred. What do i have to do?
Waiting your responses
Regards,
-
this is a common security issue.
Because "Local System" never logs into a domain, it can never access a share. The logging into the domain is when permissions on shares get assigned to the login's token. Because of that, SQL Server can't get tot eh share.
The problem is that when you access any resource OUTSIDE of SQL server, like network shares, local hard drives,sp_OA type functions etc, it doesn't matter what YOUR credentials are, like Domain Admin,Local Admin etc, because SQL will not carry those credentials to the "outside of SQL" security context.
SQL Server uses the account it starts with to try and access the resource:
That account is often an account which has never logged into the domain, and was never assigned permissions to get to the local disk or network share.
As a result, you usually need to create a domain account in Active Directory, specifically grant it share access if it doesn't inherit it from Domain\Users or Domain\AuthenticatedUsers and change the account SQL Server starts with to that account.
Once that is done, and you stop and start the SQL service to make it use that account instead of old running values, your linked server/xp_cmdshell would work.
you can prove this is the issue by simply putting in your credentials, with your domain account and password, and confirm the linked server works when SQL is run your credentials, so you'd know you need a domain account to access the resource.
Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply