Xp_cmdshell proxy account
hello,
i have a weird case that i have two accounts on a database server, lets say AD and AL. the AD is a domain account and the AL is a local account. both of them are local administrators on that database server and both of them is a sysadmin on the sql
server. i've enabled the xp_cmdshell, and i've created the ##xp_cmdshell_proxy_account##. now, in the ##xp_cmdshell_proxy_account## credential properties if i use the AD in the Identity field, the stored procedure that uses the xp_cmdshell works
fine, but if i use the AL account i got the following error:
"An error occurred during the execution of xp_cmdshell. A call to 'LogonUserW' failed with error code: '1385'."
i've searched the error and i found something in http://msdn.microsoft.com/en-us/library/ms681385.aspx that the error code 1385 means (but i'm not sure
if those codes are related to the error i'm getting):
"Logon failure: the user has not been granted the requested logon type at this computer."
i've tried to login with the AL account to the sql server and run for example "exec xp_cmdshell 'echo 123'" and it worked fine!.
can anybody explain this or at least shed some light on the places that i didn't configure for the AL user ?
Please Check if the AL user has these rights
Log on as a service (SeServiceLogonRight)
Act as part of the operating system (SeTcbPrivilege) (only on Windows 2000)
Log on as a batch job (SeBatchLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Specially
Log on as a service (SeServiceLogonRight)
Surender Singh Bhadauria
Similar Messages
-
SSIS execution via sql query with dtexec utility by passing proxy account
Hi,
i am executing ssis package with dtexec utility, with xp_cmdshell
package is not a file based, but stored in sql/msdb
while executing i am getting 'authentication failed'
i haved tried with sa user and password, by passing it...but no luck
so finally i want to authenticate it via proxy account, because same happen in sql agent job also but after creating proxy account it worked.
please suggest me way to pass proxy account in query....i have used many combination like
SET @SQLQuery = 'DTExec /SQL ^"\DataTransfer.dtx^" '
SET @SQLQuery = @SQLQuery + ' /SET \Package.Variables[ServerName].Value;^"'+ @ServerName + '^" '
EXEC master..xp_cmdshell @SQLQueryHave the EXEC master..xp_cmdshell run a batch instead that inside it it has a run as DOS command that runs the package with DTExec
Arthur My Blog -
I am trying to follow the steps to create a proxy account. I am looking at
http://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/.
--Script #1 - Creating a credential to be used by proxy
USE MASTER
GO
--Drop the credential if it is already existing
IF EXISTS (SELECT 1 FROM sys.credentials WHERE name = N'SSISProxyCredentials')
BEGIN
DROP CREDENTIAL [SSISProxyCredentials]
END
GO
CREATE CREDENTIAL [SSISProxyCredentials]
WITH IDENTITY = N'ARSHADALI-LAP\SSISProxyDemoUser',
SECRET = N'abcd@0987'
GO
I am not sure what logon this is: ARSHADALI-LAP\SSISProxyDemoUser. Is this a Service Account created through Active Directory? And is this logon then given sysadmin privileges on the SQL Server?
Or is this the logon of the Active Directory Group that the user belongs to who wants to create SSIS packages and run them?
lcerniHi lcerni,
According to the screenshot, you are using SQL Server 2012 Integration Services. The job failed because SQL Server 2012 Integration Services service is secure by default and only administrators can access the service. To resolve the issue, you don’t need
to add the Windows domain account that you used to create the credentials to the Administrators group, you can just grant access to the SSIS service for the domain user by following the steps in the document:
Grant Permissions to Integration Services Service
http://technet.microsoft.com/en-us/library/hh213130.aspx
Regards,
Mike Yin
If you have any feedback on our support, please click
here
Mike Yin
TechNet Community Support -
Hi,
I have a SQL Agent Job that executes an SSIS package. However when I manually execute the SQL Agent job from SSMS I get the following seemingly common error:
"Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account."
However, the job owner is a member of both the SQL SysAdmin role, and also a member of the operating system's Administrators group.
The SQL Agent Service is running under Local Service (not something within my control unfortunately).
I have found many posts suggesting setting up a proxy account etc, but that seems to be for the case where the job owner is not a sys admin. To be clear, the job owner IS a sysadmin.
This is occurring in the Production environment. I have two other, seemingly identical environments that are working fine, so i am wondering if I have missed something obvious.
Any idea what I've missed?
details:
Windows Server 2008 R2 Standard
SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64) Enterprise Edition
Note - the jobs were migrated to the broken environment by scripting them from Env 1, with If exists, drop, create etc.
Thanks
Guy
GuyObviously, as soon as I post this I figure out the issue:
In the script i had provided for migrating the job to the new environment (to which I have no access) the DBA replaced the @owner_login_name value with a different login. The account he used does have SysAdmin privileges but for some reason
changing the account in the script did not correctly update in the job.
On opening the job in SSMS it appeared to have the correct owner account, but using GUI to look up the specific account and adding it this way, while appearing to make no difference, has in fact solved the problem.
My assumption therefore is that updating the @owner_login_name when scripting the job is not the same as actually editing the job owner itself.
Guy
Guy -
SQL agent proxy account for Powershell
I am trying to use a sql agent proxy account for PowerShell. Created the ad account, credential and the proxy but because the PowerShell accesses a bunch o sql servers it errors out.Even when I created a login for all the sql servers the powershell is trying
to access it still failed so next I'd need to look at what permissions the powershell ad account needs to the objects it accesses. Is this the correct approach?
What is the best way to go here and avoid using a sysadmin account to run the sql agent powershell job? Thanks!
PaulaHi,
Please check the error message in job history for details of job failed.
Sysadmin is required or not depends on what you want to achieve on the SQL Server. For example, to execute sp_readerrorlog, the login must be a member of the securityadmin role and it is not required sysadmin.
It does need to create the login(proxy account) on the all the SQL Server instances.
A SQL Server Agent Proxy defines the security context under which different job steps run. The proxy contains the credentials of a Windows user account that does have access to the resources needed by the job. If you have a proxy specified in a job step, SQL
Server Agent will impersonate the proxy account and run the job step while impersonating that user account.
In order to find out the required permission, you may log in with this Windows user account(proxy credential) and run the PowerShell on the local machine and see the result. Alternately, connect in SQL Server Management Studio with this login and see what
permission is required to execute the script.
Thanks.
Tracy Cai
TechNet Community Support -
Proxy account for Cache group creation
i have a customer that wants to use a proxy account on the database to create timesten cache group. Schema_owner owns all the base tables and app_user has select,insert,delte,update privs on the base tables as well as private synonym. Customer wants to use app_user account to configure cache connect setting and create cache groups. Is this possible and supported?
thanksIt depends on the type of cache group that you are creating. The quick start section of the TimesTen Cache Connect Guide (cacheconnect.pdf) gives full details of the type of Oracle users required, and the privileges they must have.
Chris -
Provision Migration Source Proxy Account wizard broken
I cannot get the "Provision Migration Source Proxy Account" to complete. All fields are filled in according to the documentation, but when I click Yes to the confirmation box, I get "Migration proxy account provisioning failed: eDirectory NWDSCCODE: ERR_SYSTEM_ERROR [-319]".
When I check eDirectory, the Migration Proxy Account has been created and has Supervisor rights to the root of the tree. Everything seems to have been completed on the eDirectory side and the "Migration Source Information" in NSMAdmin has Source Tree Name and Migration Proxy Account, but the Default Server Address is blank.
This is NSM 3.0.1 for Active Directory. Any ideas where I go from here?Stober,
NSM does not support multiple target paths in DFS. I believe that having
multiple target paths configured is the problem that your experiencing
for both this target path issue, along with your quota issue.
thanks,
NSM Development
On 2/28/2011 11:06 PM, stober wrote:
>
> I'm also posting this in the thread about Quotas and DFS, since I think
> they're the same problem. I'm not our storage guy, so I don't know a lot
> about DFS. I've been reading up on it and I think the issue with the
> "DFS link has multiple target folders" error is related to how we have
> DFS replication set up.
>
> We have two servers set for replication. The intent was that users
> would use one server and it if failed, it would fail over to the second,
> which contains a replica of all data. Both DFS target links for these
> servers are Enabled. I think Storage Manager is seeing both servers when
> pointed to the DFS namespace and doesn't know which to use, hence the
> "multiple target folders".
>
> Is anyone else using DFS replication and seeing similar issues? I'm
> going to test this tomorrow by disabling one of the target links and
> seeing if quotas and migration both start working. I'll post back
> results. If that works, I'm going to have a fight on my hands on how DFS
> replication should be set up. Hopefully, someone knows a secret setting
> to make this work instead of changing all of our DFS setup.
>
> stober;2080140 Wrote:
>> I can now get the Migration wizard to run, but it won't actually move
>> folders. In the Preview, I get "293 The specified DFS link has multiple
>> target folders." This is the same error I get when trying to set quotas
>> (see my other post in this forum about quotas in AD). Does SM not
>> support DFS? Is my DFS misconfigured somehow or is there an "approved"
>> configuration to work with SM?
>
> -
Outlook 2013 & Proxied accounts, FROM address not defaulting correctly
Hello,
We are hosted by Microsoft for our email. We have been on Outlook 2010 for a couple of years without any issues. I have proxy access to two other mailboxes for support purposes. Up until last Thursday, when I replied to an email in the support mailbox, the
default FROM address was the address for that mailbox. Last Thursday, something changed somewhere so the default FROM address is now my personal mailbox. I do have access to send mail from the proxied accounts so it isn't a rights issue. I am able to change
the FROM address each time I reply but this is cumbersome. My personal email should never be going out on replies but remembering has been a chore since it always used to work correctly.
Our helpdesk had me install a plugin called unisend which did fix one related issue but didn't correct the issue I'm experiencing. I have talked with our senior network engineer and mail administrator and both confirm they did not make any changes. I did
upgrade my PC to Office 2013 in hopes that something became corrupted with my installation (that the upgrade would fix) but that did not correct the problem.
Ideas?Hi there,
We have received many reports as your description since last week. It sounds like the sending behavior in Outlook 2010 has been changed by some Windows/Office update and goes back to the behavior before.
Before we go any further, I have to mention some of the history for Outlook 2010. In Outlook 2010 without SP1, Mailto’s will use the default/principal account for message when you use Microsoft Outlook 2010 which has multiple accounts delivered to different
data file. However, in later version (Outlook 2010 SP1/SP2), Outlook doesn’t use the default account set in Account settings for new messages. Instead, it uses the account associated with the mailbox or *.pst file you have in focus.
Actually, this behavior is controlled by the registry keys. At this point, I suggest we check the following registry entries are exist and set it to the proper value.
HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook\Options\Mail
DWORD value: NewItemsUseDefaultSendingAccount
Value type: REG_DWORD: 1 for force, 0 to disable.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\XX.0\outlook\options
Value Name: ForceAccountSelection
Value type: REG_DWORD: 1 for force, 0 to disable.
Close the registry editor and restart Outlook to check if the behavior what you want would come back.
In addition, our Outlook MVP, Diane Poremsky has written an article with more detail information:
http://www.slipstick.com/outlook/outlook-2010/multiple-accounts-and-the-default-account/
By the way, we still cannot figure out which update is the root of the issue, if someone could test it and share the result here, I would appreciate that. Feel free to post back.
Tony Chen
TechNet Community Support -
When configuring the DSI proxy account I receive the following error:
Enter an admin name and password using dotted FDN or LDAP notation.
Admin name: cn=admin.o=services
Password:
Working...
Failed to reset proxy account. rc = '255'
Verify that the proxy account exists, and that the correct name and password of a valid admin was entered.
There is no mention made of any errors or problems in the documentation.
NDStrace on the eDir server does not see ANY (LDAP, NMAS, PKI) authentication event (Failed or succesful). All user names and passwords work fine with ndslogin, Novell Client, etc.
We also played around with ALL possible permutations of DN's for both the proxy account and the admin account.My installation is NOT a NSM integrated installation.
My NFRProxy user has Entry rights to the Tree object, and netstat -plnt shows that nothing is currently listening to that port.
Regards Peter
Originally Posted by StorageManager
Is this a NSM integrated installation??
If yes, you will NOT need to install the DSI! The NSM installation is
the DSI. You willhowever need to install the follwoing:
Engine on a Linux server
file - novell-filereporter-engine-32bit-1.0.0-56.x86_64.rpm
Agents on NetWare and/or Linux
NFRAdmin on a Windows workstation.
If this is a "standalone" installation without Novell Storage Manager
and you are getting the -255 error installing you need to check the
following:
1. Is there a NFRProxy user created and given "default" trustee rights
to the root of the TREE?
2. By default the DSI on Linux uses HTTPS port 3009 and you will need
to verify if you have something using that port by tunning netstat -plnt.
Please keep me updated!!
NFR Team
pch wrote:
> Hi, please post the resolution on this forum since Nicky isn't the only
> one with this issue.
>
> Regards
> Peter
>
> StorageManager;1927518 Wrote:
>> Hi Nicky, I have successfully reproduced this issue in our environment
>> and I have several developers and engineers working on the solution.
>> I
>> will post the resolution on this forum but you can also send me your
>> return address personally at filereporter"@"Novell.com. The "" are to
>> reduce spam and remove them!
>>
>> Thank you,
>> NFR Team
>>
>> NickyVermaak wrote:
>>> When configuring the DSI proxy account I receive the following
>> error:
>>> Enter an admin name and password using dotted FDN or LDAP notation.
>>> Admin name: cn=admin.o=services
>>> Password:
>>> Working...
>>> Failed to reset proxy account. rc = '255'
>>> Verify that the proxy account exists, and that the correct name and
>>> password of a valid admin was entered.
>>>
>>> There is no mention made of any errors or problems in the
>>> documentation.
>>>
>>> NDStrace on the eDir server does not see ANY (LDAP, NMAS, PKI)
>>> authentication event (Failed or succesful). All user names and
>> passwords
>>> work fine with ndslogin, Novell Client, etc.
>>>
>>> We also played around with ALL possible permutations of DN's for
>> both
>>> the proxy account and the admin account.
>>>
>>>
>
> -
What windows account to use as proxy account to schedule a package to run in sql server 2005 job
I have successfully set up a credential and proxy in SQL Server 2005 to run a SSIS 2005 job under my windows account. The problem I got is the password of my account will expire sometime so the job execution will fail until I change the password
in the credential. I am thinking either to ask our IT administrator to set my account to password never expire or use a different account for the credential. I have very limited knowledge regarding windows security. So if I go the second option what account
should I use for the credential/proxy? I need to know about this before asking our IT admin.It must be a domain wide service account (with a strong, non-expiring password), not a private account with just enough rights to run packages (this implies the account must be able to connect to remote data sources and shares). Oftentimes, such
an account also needs write access to the %temp% directory.
Arthur My Blog
Thanks. I will try to tell our admin see if it makes sense to him. -
VoIP Gk or Proxy Accounting?
Hi all.
My Customer is a long distance VoIP Service Provider, currently collecting calls from and delivering them to the PSTN using several Cisco 5350's. In this environment, billing is a "simple" matter - they collect syslog info from the PSTN gateways.
Now they want to interconnect VoIP carriers, and they're going to implement a Cisco Gk infrastructure with Cisco H.323 Proxies and RADIUS Accounting. Now generating billing info seems to be more involved.
I have a few questions:
1. Is a Cisco Proxy able to generate CDR's as detailed as a Cisco Voice Gateway?
2. Does a Cisco Gk know *exactly* when a call is connected and disconnected and would it be possible to centralize CDR generation on the Cisco GK?
Thank you very much!
micheleHi Taimoor,
and thank you very much for your prompt response.
You propose me a different solution than the one I thought, and please let me check if I understand it right, so I can present it to the Customer.
--- My proposal: Get rid of all CDR's from the GW's and Proxies and let the GK (a *separate* Cisco router from the Gk) generate the CDR - I know this might not be the best choise as I don't know if the GK is able to generate detailed CDR in this environment.
--- Your proposal (as far as I understand it): use the CDR's generated by the GW's and the by Gk/Proxy - good because we already know how these CDR's are made and how to elaborate them
My question is: does your proposal still work if I use separate Cisco routers for the GK and the Proxy (which is the Customer's target)?
That is, would it be possible to have the Cisco Proxy generate detailed CDR's and bill in the following environment?
|-------- Cisco Voice GW
| (generates CDR's for outbound/outbound PSTN calls)
|
|
Cisco MCM GK----|
|
|
|-------- Cisco MCM Proxy
(generates CDR's or outbound/inbound VoIP calls)
Thank you
michele -
ACS 5.1 - RADIUS Proxy Accounting Logs
Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
Install Linux RADIUS Service (this part was tested)
Install FreeRADIUS Service
Add new linux user account
Cisco ACS 5.1
Add External RADIUS servers
Network Resources -> External RADIUS Servers
Add informations.
Add RADIUS Proxy Serivce
Access Policies -> Access Services
Create with User Selected Service Type , RADIUS Proxy
Advanced Options -> Accounting
Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
Create #1 rule , Conditions : match Radius , Results : RADIUS Service
Add Network Resources for accepting network
Network Device Groups -> Network Devices and AAA Clients
Enable RADIUS Debug Messages
System Administration > Configuration > Log Configuration > Logging Categories > Global > Edit: "RADIUS Diagnostics"
Configure Log Category Log Severity : DEBUG
Add 3GPP VSA
Send out Radius Accounting Packet to ACS
ACS got the Packet, but didn't redirect to External Radius Server
I got this message from ACS 5.1
Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
There are two problem.
RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
Other Attributes didn't collect all informations, and even the debug is enabled.Hi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
when i click on the Firefox icon i want always to have to sign in with my proxy username and password.. i want more privacy in using Firefox in general.. is that possible? thanks
If you use extensions (Tools > Add-ons > Extensions) like <i>Adblock Plus</i> or <i>NoScript</i> or <i>Flash Block</i> that can block content then make sure that such extensions aren't blocking content.
Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
*Do not click the Reset button on the Safe mode start window or otherwise make changes.
*https://support.mozilla.org/kb/Safe+Mode
You can use one of these to start Firefox in <u>Safe mode</u>:
*On Windows, hold down the Shift key while starting Firefox with a double-click on the Firefox desktop shortcut
*On Mac, hold down the Options key while starting Firefox
*Help > Restart with Add-ons Disabled
If it works in Firefox Safe-mode then disable all extensions (Tools > Add-ons > Extensions) and then try to find which is causing it by enabling one extension at a time until the problem reappears.
Close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")
See also:
*https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes -
Hi All,
I have a SP, which calls xp_cmdshell in it. This SP is being used in a MessageQueue.
The SQL server and Agent services are configured using a Domain service account, and this service account has a login under the sysadmin server role as well.
When the MessageQueue is invoked, the SP returns the following exception :
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
But when I execute the SP in SSSMS, under the service account login (which is a sysadmin), it successfully executes.
I even created the ##xp_cmdshell_proxy_account## credential, but the Message Queue never stops giving this error.
This is how the queue looks like :
CREATE QUEUE [dbo].[TestxmCmdshellQueue]
WITH STATUS = ON ,
RETENTION = OFF ,
ACTIVATION ( STATUS = ON ,
PROCEDURE_NAME = [dbo].[SpWithxp_cmdshell_Init] ,
MAX_QUEUE_READERS = 5 ,
EXECUTE AS N'dbo' ),
POISON_MESSAGE_HANDLING (STATUS = OFF)
The Service account is configured as a Local Administrator in the Local Server as well.
I am running SQL Server 2008 R2 Sp2 on a Windows Server 2008 R2 Enterprise Machine.
Please let me know what I am missing here.I Made TRUSTWORTHY = ON in the database and the SP executed without any problem by the Message Queue.
No, that is not the solution.
Yes, it works. And it is a lot simpler than the solution I pointed you to. But it opens a big security hole. Or, well, depending how things you are on your server, it may be entirely uncontroversial. But as long as I don't know anything, I will have
to assume that it is a security hole. And even if there is no one today on the server who is db_owner in the database but who should not be sysadmin, that could happen in the future.
So, to anyone else who is reading this: don't set your databases to be trustworthy, unless you fully understand the implication. The correction solution is to use certificate signing. I describe this in detail in my article, and this article also explains
the dangers with TRUSTWORTHY.
http://www.sommarskog.se/grantperm.html
Erland Sommarskog, SQL Server MVP, [email protected] -
Exec XP_CMDSHELL cannot find store procedure problem
I run EXEC sp_configure 'xp_cmdshell', 1
Message is"....change from 1 to 1 "
Then
EXECXP_CMDSHELL 'Dir N:'
cannot find store procedure xp_cmdshell
I check master database.
No dbo.xp_cmdshell under store procedure.
How to fix it? I need run command
EXECXP_CMDSHELL 'Dir N:'
ThanksHallo Bestrongself,
- what SQL Server version do you use?
- since SQL 2005 xp_cmdshell is located in the sys-schema and the procedure itself is located in the resource database of Microsoft SQL Server.
You can check xp_cmdshell by using the following command:
SELECT * FROM sys.all_objects WHERE name = 'XP_CMDSHELL'
I bet you will see it in the master database because you cannot drop system procedures and will return an error if you try to do so:
USE master;
GO
BEGIN TRANSACTION
DROP PROCEDURE dbo.xp_cmdshell;
DROP PROCEDURE sys.xp_cmdshell;
DROP PROCEDURE xp_cmdshell;
ROLLBACK TRANSACTION
To execute xp_cmdshell you need to have [CONTROL SERVER] permissions otherwise it won't work. Let's say I have a login which I grant exclusive permissions to execute xp_cmdshell it will fail!
USE master;
GO
-- create the login and the user in master-database
CREATE LOGIN test WITH PASSWORD = 'glmdpf12345', CHECK_POLICY = OFF, CHECK_EXPIRATION = OFF;
CREATE USER test FROM LOGIN [Test];
GO
-- grant explicit permission to execute the xp_cmdshell
GRANT EXECUTE ON sys.xp_cmdshell TO test;
GO
-- tryp to execute xp_cmdshell as test
EXECUTE AS login = 'test'
EXEC xp_cmdshell 'DIR C:';
REVERT
-- Housekeeping
REVOKE EXECUTE ON sys.xp_cmdshell TO test;
DROP USER 'test';
DROP LOGIN 'test';
As you can see from the above statement the login "Test" got exclusive permission to execute xp_cmdshell but the execution will fail with the following error message:
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
The above error message is clear. Test is a "normal" user which has the permission to execute the proc BUT due to missing permissions to retrieve the information about the service account it fails!
You have to grant SERVER CONTROL to the account.
So - next step...
What is your permission on server level?
You can check your permissions by using the following statement:
-- what are my permissions on server level
-- check for CONTROL SERVER!
SELECT * FROM sys.fn_my_permissions (NULL, 'SERVER') ORDER BY permission_name;
-- what are my permissions for the object xp_cmdshell
SELECT * FROM sys.fn_my_permissions('xp_cmdshell', 'OBJECT');
Can you provide us with the results of the above query?
BTW: xp_cmdshell is a well documented statement and official command which is fully supported by Microsoft. You can find all information about functionality and security of xp_cmdshell here:
http://technet.microsoft.com/en-us/library/ms175046.aspx
MCM - SQL Server 2008
MCSE - SQL Server 2012
db Berater GmbH
SQL Server Blog (german only)
Maybe you are looking for
-
How to print text vertically in smart forms
hi, Can any one tell how to print text vertically in smartforms ADVANCE THANKS GUHAPRIYAN
-
How do I add a Gmail account to my Mail program
Hi Until now, I have only had @verizon.net email accounts. I now how a @gmail.com email account I don't know how to configure my Mail program so I can receive gmail to my computer, and not have to get it using a Browser. I have attended to configure,
-
30GB IPOD NOT BEING RECOGNIZED BY COMPY
DISCONNECTED TEH IPOD WHILE IT SAID NOT TO, AND NOW IT DOESN'T SEE THE IPOD. THE COMPUTER SEES IT BUT IT WILL NOT CONNECT TO ITUMES OR THE UPDATER FOR A REFORMAT OR WHATEVER. JUST WONDERING IF SOMEONE KNOWS HOW TO MANUALLY DO IT OR IF I CAN TRY SOMET
-
My drive is ALIVE. OPENS AND CLOSES ALL ON IT'S OWN ??!!
Hi. If I put in a disc and close the drive, DVD burner, it opens itself in 3-4 seconds. When left open, it closes and opens itself after some minutes. Got a mind of it's own. Any you guys a mind reader? Also, is the Pioneer 117D the drive of choice f
-
How can i unlock the iphone4 that i bougth it from south korea
How can i unlock the country lock of my iphone4 that i bought from South Korea