August 3, 2005 at 1:00 am
I have a new Windows 2003 sp1 box running Sql Server 2000 SP4. I added a Sql Server Agent proxy account which is an NT Domain User. This user has been given NT permissions to execute a file in a particular directory (ie, D:\myFiles\File.exe).
When I log in w/ my standard sql user into sql server (qa) I keep getting an Access Denied error. If I upgrade the NT user to admin rights then I am able to execute the file. I do not want admin rights for the proxy account, I only want it to run THE particular file in my directory... any ideas????
btw, I set the account via the EM interface.
-- Francisco
August 4, 2005 at 8:53 am
Some things to remember when using the SQL Agent p(r)oxy account... 1) If the job owner is a SQL Sysadmin, all SQL and file access is done using the security context of the SQL Server service. 2) If the job owner is not a Sysadmin, all SQL access is done using the job owner context, but all file access is done using the proxy account context.
If you need to troubleshoot any file access done using the proxy account context, then it is best to log on using that account. If you can access the required files interactively, you should be able to access them in a batch job.
One gotcha we have found with W2003 and dynamic disks is you need the Bypass Traverse Checking right to access any data on the disks. This is not needed for basic disks, so if access to C:\ works but D:\ does not, check if D:\ has been defined as dynamic and make sure you get the BTC right.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
August 4, 2005 at 10:31 am
I agree with the previous post. Make sure that your proxy account has the Bypass Traverse Checking right. Also, we have had to make sure that our proxy account had Change access to the TEMP directory that the SQL Server Service account had in its environment (i.e. C:\Documents and Settings\SQLServerAgent\Local Settings\Temp).
This had to be done if DTS jobs were created and executed by non-sysadmins, as the DTS jobs would frequently create temporary files during some of it operations, but would create the files under the SQL Server Agent accounts "TEMP" environment variable path.
Hope this helps ....
August 4, 2005 at 10:41 am
Good point about TEMP. We have created a TEMP directory away from the C: drive (Ours is P:\TEMP), and set the environment variables to use this for W2003, SQL Server service account, proxy account, job owner accounts, DBA accounts, etc. We have given the local USERS group rights to add, change, delete all files in P:\TEMP.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
August 4, 2005 at 4:18 pm
I connected remotely to the server using Remote desktop and I noticed that the domain user cannot access the directory I need him to access. This seems to be a permissions problem all along.
I will forward this information to our sysadmin so he can adjust the rights.
Thanks,
-- Francisco
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply