I am tracking down a problem using xp_cmdshell on SQLServer 2000 (MSDE). Th
e
DB user is not a sysadmin, but does have exec rights for xp_cmdshell. I als
o
have an agent proxy account (Win2K account) set which is a member of “User
s”
group. This scheme has been working fine until I made some changes recently.
The changes I made are: Applied Win2K SP4, applied a host of hotfixes, and
made several changes in user rights and other security-related settings.
I’ve been testing this from OSQL logged in as the same user that my
application uses when it attaches to SQLServer. I get this error:
“xpsql.cpp: Error 1385 from LogonUserW on line 488”. Another issue whic
h I
think is related is that if I run xp_sqlagent_proxy_account to set the proxy
account, I get this error: “Specified user can not login”. Interestingl
y, if
I make the proxy account a member of the Administrators group, then I can se
t
the proxy account and I can execute xp_cmdshell.
Does anyone know what rights (Win2K rights) are required for SQLServer to
run xp_cmdshell, and what rights are required for the proxy account? By
rights I mean things like: Impersonate another user, logon as a batch job,
logon locally, logon as a service, and so on. This almost certainly has
something to do with rights, but I haven’t been able to isolate it yet. C
an
anyone suggest anything else to try that might help identify the problem?
Thanks,
CraigFor anyone interested, I have found the answer. The proxy account must have
the logon right "Log on as a batch job".
"Craig Daniel" wrote:
> I am tracking down a problem using xp_cmdshell on SQLServer 2000 (MSDE).
The
> DB user is not a sysadmin, but does have exec rights for xp_cmdshell. I a
lso
> have an agent proxy account (Win2K account) set which is a member of “Us
ers”
> group. This scheme has been working fine until I made some changes recentl
y.
> The changes I made are: Applied Win2K SP4, applied a host of hotfixes, and
> made several changes in user rights and other security-related settings.
> I’ve been testing this from OSQL logged in as the same user that my
> application uses when it attaches to SQLServer. I get this error:
> “xpsql.cpp: Error 1385 from LogonUserW on line 488”. Another issue wh
ich I
> think is related is that if I run xp_sqlagent_proxy_account to set the pro
xy
> account, I get this error: “Specified user can not login”. Interestin
gly, if
> I make the proxy account a member of the Administrators group, then I can
set
> the proxy account and I can execute xp_cmdshell.
> Does anyone know what rights (Win2K rights) are required for SQLServer to
> run xp_cmdshell, and what rights are required for the proxy account? By
> rights I mean things like: Impersonate another user, logon as a batch job,
> logon locally, logon as a service, and so on. This almost certainly has
> something to do with rights, but I haven’t been able to isolate it yet.
Can
> anyone suggest anything else to try that might help identify the problem?
> Thanks,
> Craig
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment