October 13, 2005 at 6:17 pm
I created a new user, gave it access to 1 user db and Master, and granted it EXECUTE permissions on xp_CmdShell, but I get the following error...
Msg 50001, Level 1, State 50001
xpsql.cpp: Error 87 from GetProxyAccount on line 604
How do I allow this one privileged user to execute xp_CmdShell without granting it SA permissions?
And, yes, I understand the security risks...
Thank you...
--Jeff Moden
Change is inevitable... Change for the better is not.
October 13, 2005 at 6:37 pm
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp
By default, only members of the sysadmin fixed server role can execute this extended stored procedure. You may, however, grant other users permission to execute this stored procedure.
When xp_cmdshell is invoked by a user who is a member of the sysadmin fixed server role, xp_cmdshell will be executed under the security context in which the SQL Server service is running. When the user is not a member of the sysadmin group, xp_cmdshell will impersonate the SQL Server Agent proxy account, which is specified using xp_sqlagent_proxy_account. If the proxy account is not available, xp_cmdshell will fail. This is true only for Microsoft® Windows NT® 4.0 and Windows 2000. On Windows 9.x, there is no impersonation and xp_cmdshell is always executed under the security context of the Windows 9.x user who started SQL Server.
SQL = Scarcely Qualifies as a Language
October 15, 2005 at 9:51 am
Thank you Carl... that's just what the Dr. ordered.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply