Re: Job owned by a non-sysadmin fails to run
- From: "Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Dec 2006 07:35:48 -0600
Yes, even after restarting both MSSQLSERVER and SQLSERVERAGENT.
Have you restarted the server since you added the sqlservice account to the local Administrator's group? Although not normally required, I've seen occasions where a restart was needed to pickup the group membership change.
BTW, are there any related messages in the SQL Agent log files?
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Ivan Gerken" <testivan@xxxxxxxxxxxxx> wrote in message news:uVs$ZSQKHHA.2232@xxxxxxxxxxxxxxxxxxxxxxx
- SQL Server service and SQL Server Agent service run under the same account
Yes, referred to earlier as sqlservice. However, the services MSSEARCH, MSSQLServerADHelper, MSSQLServerOLAPService run under Local System (I think it hardly matters but just in case).
- The account is a member of the local administrators group
Yes, plus OLAP Administrators and Users.
- xp_cmdshell runs fine when involed by non-sysadmins
Yes. User account is a member of Users and Remote Desktop Users.
- CmdExec jobs fail for jobs owned by non-sysadmins
Yes, even after restarting both MSSQLSERVER and SQLSERVERAGENT.
"Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A7AC10BD-AE8F-4C96-ADE3-1F1603A38D9C@xxxxxxxxxxxxxxxxLets make sure I have the relevant details right since so much has been discussed in this thread:
- SQL Server service and SQL Server Agent service run under the same account
- The account is a member of the local administrators group
- xp_cmdshell runs fine when involed by non-sysadmins
- CmdExec jobs fail for jobs owned by non-sysadmins
What I find strange is that xp_cmdshell works but CmdExec doesn't. I can see how this might be the case if you used different service accounts and the SQL Agent service account lacked the advanced user rights (e.g. 'act as part of the operating system' and 'replace a process-level token') that are needed to switch security context to the proxy account.
Can you double-check to ensure the same service account is used for SQL Server and SQL Server Agent services? If you have made changes to service account security, have you since restarted the service? In some cases, a server restart in needed in order for security changes to fully take affect.
--
Happy Holidays
Dan Guzman
SQL Server MVP
.
- Follow-Ups:
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- References:
- Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- From: PSPDBA
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- From: Dan Guzman
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- From: Dan Guzman
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- From: Dan Guzman
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Re: Job owned by a non-sysadmin fails to run
- From: Dan Guzman
- Re: Job owned by a non-sysadmin fails to run
- From: Ivan Gerken
- Job owned by a non-sysadmin fails to run
- Prev by Date: Re: Job owned by a non-sysadmin fails to run
- Next by Date: Re: how to decrypt an encrypted stored proc in 2005
- Previous by thread: Re: Job owned by a non-sysadmin fails to run
- Next by thread: Re: Job owned by a non-sysadmin fails to run
- Index(es):
Relevant Pages
|
|
