Re: Calling External Progs

From: Mary Bray (reply_at_tonewsgroup.com.NOSPAMPLEASE)
Date: 01/22/04 

Date: Thu, 22 Jan 2004 18:08:15 +1100

I guess you are using xp_cmdshell. This snippet from Books On Line might
help:
When you grant execute permissions to users, the users can execute any
operating-system command at the Microsoft Windows NT® command shell that the
account running Microsoft SQL ServerT has the needed privileges to execute.

By default, only members of the sysadmin fixed server role can execute this
extended stored procedure. You may, however, grant other users permission to
execute this stored procedure.

When xp_cmdshell is invoked by a user who is a member of the sysadmin fixed
server role, xp_cmdshell will be executed under the security context in
which the SQL Server service is running. When the user is not a member of
the sysadmin group, xp_cmdshell will impersonate the SQL Server Agent proxy
account, which is specified using xp_sqlagent_proxy_account. If the proxy
account is not available, xp_cmdshell will fail. This is true only for
Microsoft® Windows NT® 4.0 and Windows 2000. On Windows 9.x, there is no
impersonation and xp_cmdshell is always executed under the security context
of the Windows 9.x user who started SQL Server.

In other words - if the user executing the query is a member of the
sysadmins role (eg: sa and administrators) the command will run in the
context of the account used to start the sql server service. This must be a
domain account with the necessary permissions rather than the local system
account. you can tell from the "Services" utility which account is in use.

"NickV" <anonymous@discussions.microsoft.com> wrote in message
news:5B9328DD-22AD-4583-B3F0-EB071E34B3ED@microsoft.com...
> I have a stored procedure that calls a batch file. This bacth file MAPS a
netowrk drive using NET USE and then calls another application to update
some data in a legacy system.
>
> My problem is that this batch file seems to fail whenever the stored
procedure is called from a PC on the network, I beleive the MAPPING is
failing but not sure where to start. I beleive it may be a security issue
possibly something to do with not actually knowing which user runinng the
Batch file, as this is called from anouther netowrk machine and the SQL
Server machine is not logged on.
>
> Thanks in advance.
>
> Nick

Relevant Pages

  • Re: Execute Persmission denied on object sp_OACreate
    ... > I logged in as that user, tried to execute the DTS ... which then launches the DTS package using the sp_OA* procs? ... account is used during proc execution. ... > proxy account to use in the Job Systems tab of SQL Server Agent ...
    (microsoft.public.sqlserver.security)
  • Execute Process Task not failing, but not executing the batch comm
    ... I can execute the following command from the windows "Run" prompt and it ... Might I have something set weird in SQL Server? ... server being by default configured to run as localsystem account, ...
    (microsoft.public.sqlserver.dts)
  • Re: xp_cmdshell issue, local system
    ... please make sure the service account SQL Server running under has ... this error may be because the SQL Server service ... account doesn't have the rights necessary to change security context to the ... >I want to give access to a regular user to execute xp_cmdshell. ...
    (microsoft.public.sqlserver.security)
  • Re: dts or xp_cmdshell permissions
    ... You could have the users execute the package ... Change the SQL Server or SQL Server Agent Service ... >> Account Without Using SQL Enterprise Manager in SQL Server ...
    (microsoft.public.sqlserver.tools)
  • Re: bcp data export from SQL Server to file
    ... the OS security context will be the SQL Server ... service account when executed by a sysadmin server role member. ... But when I execute it threw the application - nothing ...
    (microsoft.public.sqlserver.programming)