Post reply

SQL Proxy Account Prob

  • August 3, 2004 at 10:49 am

    #85141

    Hi,

    Users can not currently run xp_cmdshell. I have set up a windows domain proxy account within SQL and ensured the check box to allow non sysadmin users to exec xp_cmdshell is not checked. The proxy account has been given permission to exec xp_cmdshell within the master db, but my users still an error stating a permissions problem with xp_cmdshell.

    Does anyone have any ideas?

    Thanks alot

    Neil,

  • August 4, 2004 at 8:15 am

    #517643

    first off, try running:

    exec xp_sqlagent_proxy_account 'GET'

    just to make sure that the Proxy Account is set up correctly.

    also, how is the user running xp_cmdshell? through Query Analyzer? how are they authenticating (SQL, Trusted)? If trusted, do you only have one Domain and do the users log into it directly?

    Corie Curcillo
    MCT, MCDBA, MCSD

  • August 4, 2004 at 8:27 am

    #517648

    You must grant explicit execute for that user:

    GRANT EXECUTE on xp_cmdshell TO <your user/group>

  • August 4, 2004 at 8:47 am

    #517656

    Cheers, I've granted exec permissions to xp_cmdshell to all applicable users as well as the proxy account. Which has worked.

    Thanks alot.

    I have a question though, if a user have been given direct permission to execute xp_cmdshell and that user is not a member of sysadmin, does that users account still have to execute xp_cmdshell via the proxy account?

     

  • August 4, 2004 at 9:30 am

    #517670

    Basically, there are 3 things here:

    1. Allow users who are not sysadmin to execute (SQLServer Agent/Job System/ Only users with SysAdmin privileges ... UNCHECKED);

    2. Have a proxy account with all the rights rquired by the DOS command you are going to execute (for example, if you want to run a bcp to output data the proxy account must have the rights to write in the specific folder where the output will be created); of course, the proxy account must be a login with all the SQL Server rights required by what the xp_cmdshell command is supposed to acces.

    3. Grant explicit EXECUTE permissions to all users and groups that will be allowed to execute xp_cmdshel. In this way, when they will exceute the ext. sp they will run in the the security context of the proxy account.

     

    Hope it helps.

  • August 4, 2004 at 9:41 am

    #517673

    Yep, that clears it all up.

    Thanks alot for your help.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply