Re: xp_cmdshell issue, local system

From: yodarules (yodarules_at_discussions.microsoft.com)
Date: 11/23/05

  • Next message: Dan Guzman: "Re: xp_cmdshell issue, local system"
    Date: Wed, 23 Nov 2005 11:20:05 -0800
    
    

    You the man, Dan. It worked. So any idea why sometimes the EM hangs when
    you change startup account

    "Dan Guzman" wrote:

    > > How is that it worked for one (sql server startup account) but not for
    > > agent. I double checked, the user exists.
    >
    > My guess is that EM uses a different technique for maintaining the SQL
    > Server and SQL Agent service accounts. Rather than using the '.' shorthand,
    > try specifying the actual computer name ('ComputerName\sqluser').
    >
    > --
    > Hope this helps.
    >
    > Dan Guzman
    > SQL Server MVP
    >
    > "yodarules" <yodarules@discussions.microsoft.com> wrote in message
    > news:ECB606DB-1805-45C4-A2E3-B0670DF85C45@microsoft.com...
    > > Hey Dan,
    > >
    > > Thanks for the reply. So initially I tried to change the login using EM,
    > > but when ever I tried to do that it always hung and I had to EndTask EM,
    > > so
    > > thats the reason why I changed the login using services screen. So what I
    > > did now was stopped the agent service, then went and changed the startup
    > > account to the localsystem for SQL Server and the same for agent which
    > > worked
    > > surprisingly. Then I went and reverted back to my original login for sql
    > > server which is .\sqluser (a local user in the administrators group) it
    > > worked. Now when I go and try the same for the agent startup account it
    > > errors out.
    > >
    > > Error 15401 : Windows NT User or group '.\sqluser' not found. Check the
    > > name
    > > again
    > >
    > > Ok on this
    > >
    > > Error 15007 : The login '.\sqluser' does not exist
    > >
    > > I have windows 2003 Std Edition with SP1, SQL Server Enterprise with SP4
    > >
    > > How is that it worked for one (sql server startup account) but not for
    > > agent. I double checked, the user exists.
    > >
    > > Thanks.
    > >
    > > "Dan Guzman" wrote:
    > >
    > >> > Msg 50001, Level 1, State 50001
    > >> > xp_cmdshell failed to execute because CreateProcessAsUserW returns
    > >> > error
    > >> > 1314. please make sure the service account SQL Server running under has
    > >> > appropriate privilege.
    > >>
    > >> As the message indicates, this error may be because the SQL Server
    > >> service
    > >> account doesn't have the rights necessary to change security context to
    > >> the
    > >> proxy account. Specifically, 'act as part of operating system' and
    > >> 'replace
    > >> a process level token' are needed. These rights are set automatically
    > >> during SQL Server installation and when the account is changed using
    > >> Enterprise Manager but not when you change the account directly from
    > >> Windows.
    > >>
    > >> The easiest way to assign the rights is to use EM to change the SQL
    > >> Server
    > >> account to local system and then back to the desired domain account.
    > >>
    > >> --
    > >> Hope this helps.
    > >>
    > >> Dan Guzman
    > >> SQL Server MVP
    > >>
    > >> "yodarules" <yodarules@discussions.microsoft.com> wrote in message
    > >> news:8BD28577-F4B6-4F84-B116-F9930A32F8AC@microsoft.com...
    > >> >I want to give access to a regular user to execute xp_cmdshell. To do
    > >> >so,
    > >> >I
    > >> > followed all KB articles and did the following
    > >> >
    > >> > EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
    > >> > N'Domain', -- agent_domain_name
    > >> > N'name', -- agent_username domain
    > >> > N'password' -- agent password
    > >> >
    > >> > -- Enable non-system administrators to run the job and to execute
    > >> > xp_cmdshell.
    > >> > EXECUTE msdb..sp_set_sqlagent_properties @sysadmin_only = 0
    > >> >
    > >> > grant execute on xp_cmdshell to name -- Enter the user name again
    > >> > without
    > >> > quotes
    > >> >
    > >> > If I log in as this user 'name' and execute master..xp_cmdshell 'dir'.
    > >> > Its
    > >> > fine. My problem is, the system that I want this to work in is not
    > >> > part
    > >> > of a
    > >> > domain. Its a stand alone SQL Server box. So I set these
    > >> > EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
    > >> > N'computer-name', -- agent_domain_name
    > >> > N'localuser', -- agent_username domain
    > >> > N'password' -- agent password
    > >> >
    > >> >
    > >> > When I set as local user and computer name I get no errors. But when I
    > >> > execute xp_cmdshell I doesn't work. The localuser is part of
    > >> > administrators
    > >> > group as well. The error that I get is
    > >> >
    > >> > Msg 50001, Level 1, State 50001
    > >> > xp_cmdshell failed to execute because CreateProcessAsUserW returns
    > >> > error
    > >> > 1314. please make sure the service account SQL Server running under has
    > >> > appropriate privilege. For more information, search Book Online for
    > >> > topic
    > >> > related to xp_sqlagent_proxy_accoun
    > >> >
    > >> > Has anyone seen this before and any ideas to resolve it. Thanks.
    > >>
    > >>
    > >>
    >
    >
    >


  • Next message: Dan Guzman: "Re: xp_cmdshell issue, local system"

    Relevant Pages

    • Re: Starting Service with SQL Authentication
      ... At first glance, I'd say NO, agent would require sysadmin by design - but, ... On the other hand - personally, it's not a problem to work without sql ... > Then in this case the SQL Agent startup account would need Admin rights? ...
      (microsoft.public.sqlserver.security)
    • RE: Replication Error
      ... account that the SQL Agent runs under. ... When I setup replication two jobs are setup within sql server server. ... step of each job (Snapshot Agent startup message, ...
      (microsoft.public.sqlserver.replication)
    • Re: permission problem?
      ... SQL Agent has an errorlog file, which you for instance can get to from EM, ... I suggest you read in Books Online about permissions. ... >> What error messages do you have in the SQL Server Agent errorlog? ...
      (microsoft.public.sqlserver.server)
    • Re: Exchange 2003 SP3 in deutsch draussen, schon jemand Erfahrungen damit?
      ... der Key hatte aber nicht geholfen ... (z.b. bei meinem SQL Server Backup Problem!). ... >> Alternativ hätte ich noch ein Problem mit der Installation des Agent ...
      (microsoft.public.de.exchange)
    • Re: SQL Server in SBS2000
      ... Some require SQL backend. ... > I would like to setup a database using SQL Server, ... name and/or click on a drop down bar to select the vendor. ... This would tell us how many calls the agent is taking (ie: ...
      (microsoft.public.backoffice.smallbiz2000)