Re: xp_cmdshell issue, local system

From: yodarules (yodarules_at_discussions.microsoft.com)
Date: 11/23/05 

Date: Wed, 23 Nov 2005 10:47:04 -0800

Hey Dan,

Thanks for the reply. So initially I tried to change the login using EM,
but when ever I tried to do that it always hung and I had to EndTask EM, so
thats the reason why I changed the login using services screen. So what I
did now was stopped the agent service, then went and changed the startup
account to the localsystem for SQL Server and the same for agent which worked
surprisingly. Then I went and reverted back to my original login for sql
server which is .\sqluser (a local user in the administrators group) it
worked. Now when I go and try the same for the agent startup account it
errors out.

Error 15401 : Windows NT User or group '.\sqluser' not found. Check the name
again

Ok on this

Error 15007 : The login '.\sqluser' does not exist

I have windows 2003 Std Edition with SP1, SQL Server Enterprise with SP4

How is that it worked for one (sql server startup account) but not for
agent. I double checked, the user exists.

Thanks.

"Dan Guzman" wrote:

> > Msg 50001, Level 1, State 50001
> > xp_cmdshell failed to execute because CreateProcessAsUserW returns error
> > 1314. please make sure the service account SQL Server running under has
> > appropriate privilege.
>
> As the message indicates, this error may be because the SQL Server service
> account doesn't have the rights necessary to change security context to the
> proxy account. Specifically, 'act as part of operating system' and 'replace
> a process level token' are needed. These rights are set automatically
> during SQL Server installation and when the account is changed using
> Enterprise Manager but not when you change the account directly from
> Windows.
>
> The easiest way to assign the rights is to use EM to change the SQL Server
> account to local system and then back to the desired domain account.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> "yodarules" <yodarules@discussions.microsoft.com> wrote in message
> news:8BD28577-F4B6-4F84-B116-F9930A32F8AC@microsoft.com...
> >I want to give access to a regular user to execute xp_cmdshell. To do so,
> >I
> > followed all KB articles and did the following
> >
> > EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
> > N'Domain', -- agent_domain_name
> > N'name', -- agent_username domain
> > N'password' -- agent password
> >
> > -- Enable non-system administrators to run the job and to execute
> > xp_cmdshell.
> > EXECUTE msdb..sp_set_sqlagent_properties @sysadmin_only = 0
> >
> > grant execute on xp_cmdshell to name -- Enter the user name again without
> > quotes
> >
> > If I log in as this user 'name' and execute master..xp_cmdshell 'dir'.
> > Its
> > fine. My problem is, the system that I want this to work in is not part
> > of a
> > domain. Its a stand alone SQL Server box. So I set these
> > EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
> > N'computer-name', -- agent_domain_name
> > N'localuser', -- agent_username domain
> > N'password' -- agent password
> >
> >
> > When I set as local user and computer name I get no errors. But when I
> > execute xp_cmdshell I doesn't work. The localuser is part of
> > administrators
> > group as well. The error that I get is
> >
> > Msg 50001, Level 1, State 50001
> > xp_cmdshell failed to execute because CreateProcessAsUserW returns error
> > 1314. please make sure the service account SQL Server running under has
> > appropriate privilege. For more information, search Book Online for topic
> > related to xp_sqlagent_proxy_accoun
> >
> > Has anyone seen this before and any ideas to resolve it. Thanks.
>
>
>

Relevant Pages

  • Re: MSSQL$SBSMONITORING Login to Disabled Account?
    ... SQL Server installed, I can't have the tools you were using, can I? ... I still don't know what that process is doing trying to login to the ... Administrator account and I don't understand why this login attempt is ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant view merge agent properties (trying again)
    ... In the List of Actions for the Snapshot Agent History I see this repeated: ... every single database listed. ... So, just now, I went to computername\Administrator Login ID (because it's ... On the computer running SQL Server, ...
    (microsoft.public.sqlserver.replication)
  • Re: xp_cmdshell issue, local system
    ... SQL Server MVP ... > you change startup account ... >> Server and SQL Agent service accounts. ...
    (microsoft.public.sqlserver.security)
  • Re: Problems changing the password for the service account in SQL
    ... It is because there is BULTIN\Administrstors Login that alllow access to ... You have a domaim account group that SQL Server ... this domain account in SQL Server ...
    (microsoft.public.sqlserver.security)
  • Re: xp_cmdshell issue, local system
    ... > How is that it worked for one (sql server startup account) but not for ... Server and SQL Agent service accounts. ... SQL Server MVP ... Now when I go and try the same for the agent startup account it ...
    (microsoft.public.sqlserver.security)