RE: xp_cmdshell, Access Denied, Further Investigation Reveals

From: Peter Yang [MSFT] (petery_at_online.microsoft.com)
Date: 10/14/05

  • Next message: TdarTdar: "RE: xp_cmdshell, Access Denied, Further Investigation Reveals" 
    Date: Fri, 14 Oct 2005 03:25:00 GMT

    Hello,

    As you know, when xp_cmdshell is invoked by a user who is a member of the
    sysadmin fixed server role, xp_cmdshell will be executed under the security
    context in which the SQL Server service is running. When the user is not a
    member of the sysadmin group, xp_cmdshell will impersonate the SQL Server
    Agent proxy account, which is specified using xp_sqlagent_proxy_account.

    Please make sure the domain user of SQL Server Agent proxy account has both
    NTFS and shared permssion on the folder \\othercomputer\cshare. You could
    right click the folder->Properties, and check this on both Shared and
    Security tab.

    If the issue persists, please tempoarily add this domain user to local
    admin of the othercomputer to test the sitaution.

    Thanks & Regards,

    Peter Yang
    MCSE2000/2003, MCSA, MCDBA
    Microsoft Online Partner Support

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================

    Business-Critical Phone Support (BCPS) provides you with technical phone
    support at no charge during critical LAN outages or "business down"
    situations. This benefit is available 24 hours a day, 7 days a week to all
    Microsoft technology partners in the United States and Canada.

    This and other support options are available here:

    BCPS:
    https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469

    Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

    If you are outside the United States, please visit our International
    Support page:
    http://support.microsoft.com/default.aspx?scid=%2finternational.aspx.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: xp_cmdshell, Access Denied, Further Investigation Reveals
    | thread-index: AcXQF5KwAo/U8c11QvGY0J6YgrPF1Q==
    | X-WBNR-Posting-Host: 24.73.223.27
    | From: "=?Utf-8?B?VGRhclRkYXI=?=" <Tdar@noemail.nospam>
    | Subject: xp_cmdshell, Access Denied, Further Investigation Reveals
    | Date: Thu, 13 Oct 2005 10:00:11 -0700
    | Lines: 26
    | Message-ID: <C9ABAD68-E537-46BD-BE4B-196CFB9A277F@microsoft.com>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.sqlserver.security
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.sqlserver.security:6263
    | X-Tomcat-NG: microsoft.public.sqlserver.security
    |
    | Hi,
    |
    | I am stall having a problem with access is denied running a simple
    | exec xp_cmdshell 'dir \\othercomputer\cshare\'. I have setup my
    | SQL agent and proxy account to a account called SQIUSER and gave
    | that Admin Rights to the whole network, and added that user to the
    | ' \\othercomputer\cshare\' However I am still getting access is denied.
    |
    | So, I loged into that SQIUSER account as a normal user from the SQL Server
    | system and browsed to the network path \\othercomputer\cshare\ and i got
    | its contents and can read/write to it.
    |
    | So opened SQL QA and ran the command again and Got 'Access is denied'
    |
    | I decied to run a ShareEnum from sysinternals and that shows me as getting
    | access is denied on that \\othercomputer\cshare\ path.
    |
    | So what is wrong here i can list read write \\othercomputer\cshare\ as
    the
    | loged in user but SQL QA and Sysinternals ShareEnum says I am not allow
    | access to that
    | drive.
    |
    | What am I missing here??
    |
    |
    |
    |

  • Next message: TdarTdar: "RE: xp_cmdshell, Access Denied, Further Investigation Reveals"

    Relevant Pages

    • RE: ADSI as linked server
      ... This is Mark, a SQL Server Engineer. ... Microsoft Online Community Support ... or a Microsoft Support Engineer within 1 business day is acceptable. ...
      (microsoft.public.sqlserver.connect)
    • RE: Sharpoint Error in SBS 2003
      ... > Have you upgraded the Sharepoint WMSDE to SQL server? ... > A supported hotfix is now available from Microsoft, ... > To resolve this problem immediately, contact Microsoft Product Support ...
      (microsoft.public.windows.server.sbs)
    • RE: VS2008 Server Explorer takes 45 seconds to connect to SQL2005
      ... lab to apply for a test environment with Windows Server 2008. ... //Use TCP protocol to connect to your SQL Server instance ... Microsoft Online Community Support ... or a Microsoft Support Engineer within 1 business day is acceptable. ...
      (microsoft.public.sqlserver.connect)
    • RE: Could not establish a connection to the database
      ... Server 2005 on the machine, when creating a new ASP.NET application and use ... "Could not establish a connection to the database. ... trying to use the default SQL server provider, ... Microsoft MSDN Online Support Lead ...
      (microsoft.public.vsnet.setup)
    • Re: Lsass 100% every 5-7 days
      ... SQL Server 7, SP4 and ... >> | get server errors about memory and it reboots ... >> The latest version of Lsass was released with update ... >> Support Services phone numbers and information about ...
      (microsoft.public.win2000.general)