September 2, 2003 at 2:00 am
Hi!
To allow ordinary users to run xp_cmdshell, I set up a proxy account on my servers.
I used a domain account that sqlserver service uses to logon. This account is in local administrators group. On one of the servers everything works fine. On the other does not...
SETUSER 'Smith'
go
exec master..xp_cmdshell 'set a=1'
go
SETUSER
=================================================
Msg 50001, Level 1, State 50001
xpsql.c: Error 997 from GetPassword on line 465
I there a way to track the problem?
/* Both servers a MS SQL 2000 Ent sp3 on Win 2000 Adv Server sp4 */
September 2, 2003 at 7:20 pm
Hi there
What privs does the user account have that is executing the xp_cmdshell?
Are they sysadmin? and if so, does the account running the sqlserver service have appropriate NT privs?
Remember:
Users who are not members of the sysadmin fixed server role will always run their Windows NT commands in the context of the SQLAgentCmdExec user account.
To ensure the proxy account is configured properly, use Enterprise
Manager to navigate to Management --> SQL Server Agent --> Job System
and ensure 'only allow users with Sysadmin privileges ...' is unchecked
and click the Reset Proxy Account button.
Btw, can you reconfirm that the cmdshell is the issue and not setuser (you never know!).
Cheers
Ck
References
----------
Chris Kempster
Author of "SQL Server 2k for the Oracle DBA"
Chris Kempster
www.chriskempster.com
Author of "SQL Server Backup, Recovery & Troubleshooting"
Author of "SQL Server 2k for the Oracle DBA"
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply