Xp_cmdshell proxy account

Similar Messages

• SSIS execution via sql query with dtexec utility by passing proxy account

  Hi, 
  i am executing ssis package with dtexec utility, with xp_cmdshell
  package is not a file based, but stored in sql/msdb
  while executing i am getting 'authentication failed'
  i haved tried with sa user and password, by passing it...but no luck
  so finally i want to authenticate it via proxy account, because same happen in sql agent job also but after creating proxy account it worked.
  please suggest me way to pass proxy account in query....i have used many combination like
  SET @SQLQuery = 'DTExec /SQL ^"\DataTransfer.dtx^" '
  SET @SQLQuery = @SQLQuery + ' /SET \Package.Variables[ServerName].Value;^"'+ @ServerName + '^" '
  EXEC master..xp_cmdshell @SQLQuery

  Have the EXEC master..xp_cmdshell run a batch instead that inside it it has a run as DOS command that runs the package with DTExec
  Arthur My Blog

• Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account. The step failed.

  I am trying to follow the steps to create a proxy account.  I am looking at
  http://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/.
  --Script #1 - Creating a credential to be used by proxy
  USE MASTER
  GO
  --Drop the credential if it is already existing
  IF EXISTS (SELECT 1 FROM sys.credentials WHERE name = N'SSISProxyCredentials')
  BEGIN
  DROP CREDENTIAL [SSISProxyCredentials]
  END
  GO
  CREATE CREDENTIAL [SSISProxyCredentials]
  WITH IDENTITY = N'ARSHADALI-LAP\SSISProxyDemoUser',
  SECRET = N'abcd@0987'
  GO
  I am not sure what logon this is:  ARSHADALI-LAP\SSISProxyDemoUser.  Is this a Service Account created through Active Directory?  And is this logon then given sysadmin privileges on the SQL Server?
  Or is this the logon of the Active Directory Group that the user belongs to who wants to create SSIS packages and run them?
  lcerni

  Hi lcerni,
  According to the screenshot, you are using SQL Server 2012 Integration Services. The job failed because SQL Server 2012 Integration Services service is secure by default and only administrators can access the service. To resolve the issue, you don’t need
  to add the Windows domain account that you used to create the credentials to the Administrators group, you can just grant access to the SSIS service for the domain user by following the steps in the document:
  Grant Permissions to Integration Services Service
  http://technet.microsoft.com/en-us/library/hh213130.aspx 
  Regards,
  Mike Yin
  If you have any feedback on our support, please click
  here
  Mike Yin
  TechNet Community Support

• Account is SysAdmin - but Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account.

  Hi,
  I have a SQL Agent Job that executes an SSIS package.  However when I manually execute the SQL Agent job from SSMS I get the following seemingly common error:
  "Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account."
  However, the job owner is a member of both the SQL SysAdmin role, and also a member of the operating system's Administrators group.
  The SQL Agent Service is running under Local Service (not something within my control unfortunately).
  I have found many posts suggesting setting up a proxy account etc, but that seems to be for the case where the job owner is not a sys admin.  To be clear, the job owner IS a sysadmin.
  This is occurring in the Production environment.  I have two other, seemingly identical environments that are working fine, so i am wondering if I have missed something obvious.
  Any idea what I've missed?
  details:
  Windows Server 2008 R2 Standard
  SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)    Enterprise Edition
  Note - the jobs were migrated to the broken environment by scripting them from Env 1, with If exists, drop, create etc.
  Thanks
  Guy
  Guy

  Obviously, as soon as I post this I figure out the issue:
  In the script i had provided for migrating the job to the new environment (to which I have no access) the DBA replaced the @owner_login_name value with a different login.  The account he used does have SysAdmin privileges  but for some reason
  changing the account in the script did not correctly update in the job.
  On opening the job in SSMS it appeared to have the correct owner account, but using GUI to look up the specific account and adding it this way, while appearing to make no difference, has in fact solved the problem.
  My assumption therefore is that updating the @owner_login_name when scripting the job is not the same as actually editing the job owner itself.
  Guy
  Guy

• SQL agent proxy account for Powershell

  I am trying to use a sql agent proxy account for PowerShell. Created the ad account, credential and the proxy but because the PowerShell accesses a bunch o sql servers it errors out.Even when I created a login for all the sql servers the powershell is trying
  to access it still failed so next I'd need to look at what permissions the powershell ad account needs to the objects it accesses. Is this the correct approach?
  What is the best way to go here and avoid using a sysadmin account to run the sql agent powershell job? Thanks!
  Paula

  Hi,
  Please check the error message in job history for details of job failed.
  Sysadmin is required or not depends on what you want to achieve on the SQL Server. For example, to execute sp_readerrorlog, the login must be a member of the securityadmin role and it is not required sysadmin.
  It does need to create the login(proxy account) on the all the SQL Server instances.
  A SQL Server Agent Proxy defines the security context under which different job steps run. The proxy contains the credentials of a Windows user account that does have access to the resources needed by the job. If you have a proxy specified in a job step, SQL
  Server Agent will impersonate the proxy account and run the job step while impersonating that user account.
  In order to find out the required permission, you may log in with this Windows user account(proxy credential) and run the PowerShell on the local machine and see the result. Alternately, connect in SQL Server Management Studio with this login and see what
  permission is required to execute the script.
  Thanks.
  Tracy Cai
  TechNet Community Support

• Proxy account for Cache group creation

  i have a customer that wants to use a proxy account on the database to create timesten cache group. Schema_owner owns all the base tables and app_user has select,insert,delte,update privs on the base tables as well as private synonym. Customer wants to use app_user account to configure cache connect setting and create cache groups. Is this possible and supported?
  thanks

  It depends on the type of cache group that you are creating. The quick start section of the TimesTen Cache Connect Guide (cacheconnect.pdf) gives full details of the type of Oracle users required, and the privileges they must have.
  Chris

• Provision Migration Source Proxy Account wizard broken

  I cannot get the "Provision Migration Source Proxy Account" to complete. All fields are filled in according to the documentation, but when I click Yes to the confirmation box, I get "Migration proxy account provisioning failed: eDirectory NWDSCCODE: ERR_SYSTEM_ERROR [-319]".
  When I check eDirectory, the Migration Proxy Account has been created and has Supervisor rights to the root of the tree. Everything seems to have been completed on the eDirectory side and the "Migration Source Information" in NSMAdmin has Source Tree Name and Migration Proxy Account, but the Default Server Address is blank.
  This is NSM 3.0.1 for Active Directory. Any ideas where I go from here?

  Stober,
  NSM does not support multiple target paths in DFS. I believe that having
  multiple target paths configured is the problem that your experiencing
  for both this target path issue, along with your quota issue.
  thanks,
  NSM Development
  On 2/28/2011 11:06 PM, stober wrote:
  >
  > I'm also posting this in the thread about Quotas and DFS, since I think
  > they're the same problem. I'm not our storage guy, so I don't know a lot
  > about DFS. I've been reading up on it and I think the issue with the
  > "DFS link has multiple target folders" error is related to how we have
  > DFS replication set up.
  >
  > We have two servers set for replication. The intent was that users
  > would use one server and it if failed, it would fail over to the second,
  > which contains a replica of all data. Both DFS target links for these
  > servers are Enabled. I think Storage Manager is seeing both servers when
  > pointed to the DFS namespace and doesn't know which to use, hence the
  > "multiple target folders".
  >
  > Is anyone else using DFS replication and seeing similar issues? I'm
  > going to test this tomorrow by disabling one of the target links and
  > seeing if quotas and migration both start working. I'll post back
  > results. If that works, I'm going to have a fight on my hands on how DFS
  > replication should be set up. Hopefully, someone knows a secret setting
  > to make this work instead of changing all of our DFS setup.
  >
  > stober;2080140 Wrote:
  >> I can now get the Migration wizard to run, but it won't actually move
  >> folders. In the Preview, I get "293 The specified DFS link has multiple
  >> target folders." This is the same error I get when trying to set quotas
  >> (see my other post in this forum about quotas in AD). Does SM not
  >> support DFS? Is my DFS misconfigured somehow or is there an "approved"
  >> configuration to work with SM?
  >
  >

• Outlook 2013 & Proxied accounts, FROM address not defaulting correctly

  Hello,
  We are hosted by Microsoft for our email. We have been on Outlook 2010 for a couple of years without any issues. I have proxy access to two other mailboxes for support purposes. Up until last Thursday, when I replied to an email in the support mailbox, the
  default FROM address was the address for that mailbox. Last Thursday, something changed somewhere so the default FROM address is now my personal mailbox. I do have access to send mail from the proxied accounts so it isn't a rights issue. I am able to change
  the FROM address each time I reply but this is cumbersome. My personal email should never be going out on replies but remembering has been a chore since it always used to work correctly.
  Our helpdesk had me install a plugin called unisend which did fix one related issue but didn't correct the issue I'm experiencing. I have talked with our senior network engineer and mail administrator and both confirm they did not make any changes. I did
  upgrade my PC to Office 2013 in hopes that something became corrupted with my installation (that the upgrade would fix) but that did not correct the problem.
  Ideas?

  Hi there,
  We have received many reports as your description since last week. It sounds like the sending behavior in Outlook 2010 has been changed by some Windows/Office update and goes back to the behavior before.
  Before we go any further, I have to mention some of the history for Outlook 2010. In Outlook 2010 without SP1, Mailto’s will use the default/principal account for message when you use Microsoft Outlook 2010 which has multiple accounts delivered to different
  data file. However, in later version (Outlook 2010 SP1/SP2), Outlook doesn’t use the default account set in Account settings for new messages. Instead, it uses the account associated with the mailbox or *.pst file you have in focus.
  Actually, this behavior is controlled by the registry keys. At this point, I suggest we check the following registry entries are exist and set it to the proper value.
  HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook\Options\Mail
  DWORD value: NewItemsUseDefaultSendingAccount
  Value type: REG_DWORD: 1 for force, 0 to disable.
  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\XX.0\outlook\options
  Value Name: ForceAccountSelection
  Value type: REG_DWORD: 1 for force, 0 to disable.
  Close the registry editor and restart Outlook to check if the behavior what you want would come back.
  In addition, our Outlook MVP, Diane Poremsky has written an article with more detail information:
  http://www.slipstick.com/outlook/outlook-2010/multiple-accounts-and-the-default-account/
  By the way, we still cannot figure out which update is the root of the issue, if someone could test it and share the result here, I would appreciate that. Feel free to post back.
  Tony Chen
  TechNet Community Support

• File Reporter Proxy Account

  When configuring the DSI proxy account I receive the following error:
  Enter an admin name and password using dotted FDN or LDAP notation.
  Admin name: cn=admin.o=services
  Password:
  Working...
  Failed to reset proxy account. rc = '255'
  Verify that the proxy account exists, and that the correct name and password of a valid admin was entered.
  There is no mention made of any errors or problems in the documentation.
  NDStrace on the eDir server does not see ANY (LDAP, NMAS, PKI) authentication event (Failed or succesful). All user names and passwords work fine with ndslogin, Novell Client, etc.
  We also played around with ALL possible permutations of DN's for both the proxy account and the admin account.

  My installation is NOT a NSM integrated installation.
  My NFRProxy user has Entry rights to the Tree object, and netstat -plnt shows that nothing is currently listening to that port.
  Regards Peter
  Originally Posted by StorageManager
  Is this a NSM integrated installation??
  If yes, you will NOT need to install the DSI! The NSM installation is
  the DSI. You willhowever need to install the follwoing:
  Engine on a Linux server
  file - novell-filereporter-engine-32bit-1.0.0-56.x86_64.rpm
  Agents on NetWare and/or Linux
  NFRAdmin on a Windows workstation.
  If this is a "standalone" installation without Novell Storage Manager
  and you are getting the -255 error installing you need to check the
  following:
  1. Is there a NFRProxy user created and given "default" trustee rights
  to the root of the TREE?
  2. By default the DSI on Linux uses HTTPS port 3009 and you will need
  to verify if you have something using that port by tunning netstat -plnt.
  Please keep me updated!!
  NFR Team
  pch wrote:
  > Hi, please post the resolution on this forum since Nicky isn't the only
  > one with this issue.
  >
  > Regards
  > Peter
  >
  > StorageManager;1927518 Wrote:
  >> Hi Nicky, I have successfully reproduced this issue in our environment
  >> and I have several developers and engineers working on the solution.
  >> I
  >> will post the resolution on this forum but you can also send me your
  >> return address personally at filereporter"@"Novell.com. The "" are to
  >> reduce spam and remove them!
  >>
  >> Thank you,
  >> NFR Team
  >>
  >> NickyVermaak wrote:
  >>> When configuring the DSI proxy account I receive the following
  >> error:
  >>> Enter an admin name and password using dotted FDN or LDAP notation.
  >>> Admin name: cn=admin.o=services
  >>> Password:
  >>> Working...
  >>> Failed to reset proxy account. rc = '255'
  >>> Verify that the proxy account exists, and that the correct name and
  >>> password of a valid admin was entered.
  >>>
  >>> There is no mention made of any errors or problems in the
  >>> documentation.
  >>>
  >>> NDStrace on the eDir server does not see ANY (LDAP, NMAS, PKI)
  >>> authentication event (Failed or succesful). All user names and
  >> passwords
  >>> work fine with ndslogin, Novell Client, etc.
  >>>
  >>> We also played around with ALL possible permutations of DN's for
  >> both
  >>> the proxy account and the admin account.
  >>>
  >>>
  >
  >

• What windows account to use as proxy account to schedule a package to run in sql server 2005 job

  I have successfully set up a credential and proxy in SQL Server 2005 to run a SSIS 2005 job under my windows account. The problem I got is the password of  my account will expire sometime so the job execution will fail until I change the password
  in the credential. I am thinking either to ask our IT administrator to set my account to password never expire or use a different account for the credential. I have very limited knowledge regarding windows security. So if I go the second option what account
  should I use for the credential/proxy? I need to know about this before asking our IT admin.

  It must be a domain wide service account (with a strong, non-expiring password), not a private account with just enough rights to run packages (this implies the account must be able to connect to remote data sources and shares). Oftentimes, such
  an account also needs write access to the %temp% directory.
  Arthur My Blog
  Thanks. I will try to tell our admin see if it makes sense to him.

• VoIP Gk or Proxy Accounting?

  Hi all.
  My Customer is a long distance VoIP Service Provider, currently collecting calls from and delivering them to the PSTN using several Cisco 5350's. In this environment, billing is a "simple" matter - they collect syslog info from the PSTN gateways.
  Now they want to interconnect VoIP carriers, and they're going to implement a Cisco Gk infrastructure with Cisco H.323 Proxies and RADIUS Accounting. Now generating billing info seems to be more involved.
  I have a few questions:
  1. Is a Cisco Proxy able to generate CDR's as detailed as a Cisco Voice Gateway?
  2. Does a Cisco Gk know *exactly* when a call is connected and disconnected and would it be possible to centralize CDR generation on the Cisco GK?
  Thank you very much!
  michele

  Hi Taimoor,
  and thank you very much for your prompt response.
  You propose me a different solution than the one I thought, and please let me check if I understand it right, so I can present it to the Customer.
  --- My proposal: Get rid of all CDR's from the GW's and Proxies and let the GK (a *separate* Cisco router from the Gk) generate the CDR - I know this might not be the best choise as I don't know if the GK is able to generate detailed CDR in this environment.
  --- Your proposal (as far as I understand it): use the CDR's generated by the GW's and the by Gk/Proxy - good because we already know how these CDR's are made and how to elaborate them
  My question is: does your proposal still work if I use separate Cisco routers for the GK and the Proxy (which is the Customer's target)?
  That is, would it be possible to have the Cisco Proxy generate detailed CDR's and bill in the following environment?
  |-------- Cisco Voice GW
  | (generates CDR's for outbound/outbound PSTN calls)
  |
  |
  Cisco MCM GK----|
  |
  |
  |-------- Cisco MCM Proxy
  (generates CDR's or outbound/inbound VoIP calls)
  Thank you
  michele

• ACS 5.1 - RADIUS Proxy Accounting Logs

  Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
  Install Linux RADIUS Service (this part was tested)
  Install FreeRADIUS Service
  Add new linux user account
  Cisco ACS 5.1
  Add External RADIUS servers
  Network Resources -> External RADIUS Servers
  Add informations.
  Add RADIUS Proxy Serivce
  Access Policies -> Access Services
  Create with User Selected Service Type , RADIUS Proxy
  Advanced Options -> Accounting
  Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
  Create #1 rule , Conditions : match Radius , Results : RADIUS Service
  Add Network Resources for accepting network
  Network Device Groups -> Network Devices and AAA Clients
  Enable RADIUS Debug Messages
  System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
  Configure Log Category Log Severity : DEBUG
  Add 3GPP VSA
  Send out Radius Accounting Packet to ACS
  ACS got the Packet, but didn't redirect to External Radius Server
  I got this message from ACS 5.1
  Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
  There are two problem.
  RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
  Other Attributes didn't collect all informations, and even the debug is enabled.

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• When i open Firefox (in general), i dont mean sign into any email address, just to start using Firefox, i want to have always to sign in with my proxy account = username and password..how? thank you!

  when i click on the Firefox icon i want always to have to sign in with my proxy username and password.. i want more privacy in using Firefox in general.. is that possible? thanks

  If you use extensions (Tools > Add-ons > Extensions) like <i>Adblock Plus</i> or <i>NoScript</i> or <i>Flash Block</i> that can block content then make sure that such extensions aren't blocking content.
  Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
  *Do not click the Reset button on the Safe mode start window or otherwise make changes.
  *https://support.mozilla.org/kb/Safe+Mode
  You can use one of these to start Firefox in <u>Safe mode</u>:
  *On Windows, hold down the Shift key while starting Firefox with a double-click on the Firefox desktop shortcut
  *On Mac, hold down the Options key while starting Firefox
  *Help > Restart with Add-ons Disabled
  If it works in Firefox Safe-mode then disable all extensions (Tools > Add-ons > Extensions) and then try to find which is causing it by enabling one extension at a time until the problem reappears.
  Close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")
  See also:
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• SP with xp_cmdshell gives an error in the MessageQueue, but executes successfully in SSMS.

  Hi All,
  I have a SP, which calls xp_cmdshell in it. This SP is being used in a MessageQueue. 
  The SQL server and Agent services are configured using a Domain service account, and this service account has a login under the sysadmin server role as well.
  When the MessageQueue is invoked, the SP returns the following exception :
  The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
  But when I execute the SP in SSSMS, under the service account login (which is a sysadmin), it successfully executes.
  I even created the ##xp_cmdshell_proxy_account## credential, but the Message Queue never stops giving this error.
  This is how the queue looks like :
  CREATE QUEUE [dbo].[TestxmCmdshellQueue]
  WITH STATUS = ON ,
  RETENTION = OFF ,
  ACTIVATION (      STATUS = ON ,
                          PROCEDURE_NAME = [dbo].[SpWithxp_cmdshell_Init] ,
                          MAX_QUEUE_READERS = 5 ,
                          EXECUTE AS N'dbo'  ),
  POISON_MESSAGE_HANDLING (STATUS = OFF) 
  The Service account is configured as a Local Administrator in the Local Server as well.
  I am running SQL Server 2008 R2 Sp2 on a Windows Server 2008 R2 Enterprise Machine. 
  Please let me know what I am missing here.

  I Made TRUSTWORTHY = ON in the database and the SP executed without any problem by the Message Queue.
  No, that is not the solution.
  Yes, it works. And it is a lot simpler than the solution I pointed you to. But it opens a big security hole. Or, well, depending how things you are on your server, it may be entirely uncontroversial. But as long as I don't know anything, I will have
  to assume that it is a security hole. And even if there is no one today on the server who is db_owner in the database but who should not be sysadmin, that could happen in the future.
  So, to anyone else who is reading this: don't set your databases to be trustworthy, unless you fully understand the implication. The correction solution is to use certificate signing. I describe this in detail in my article, and this article also explains
  the dangers with TRUSTWORTHY.
  http://www.sommarskog.se/grantperm.html
  Erland Sommarskog, SQL Server MVP, [email protected]

• Exec XP_CMDSHELL cannot find store procedure problem

  I run EXEC sp_configure 'xp_cmdshell', 1
  Message is"....change from 1 to 1 "
  Then
  EXECXP_CMDSHELL 'Dir N:'
  cannot find store procedure xp_cmdshell
  I check master database.
  No dbo.xp_cmdshell under store procedure.
  How to fix it? I need run command
  EXECXP_CMDSHELL 'Dir N:'
  Thanks

  Hallo Bestrongself,
  - what SQL Server version do you use?
  - since SQL 2005 xp_cmdshell is located in the sys-schema and the procedure itself is located in the resource database of Microsoft SQL Server.
  You can check xp_cmdshell by using the following command:
  SELECT * FROM sys.all_objects WHERE name = 'XP_CMDSHELL'
  I bet you will see it in the master database because you cannot drop system procedures and will return an error if you try to do so:
  USE master;
  GO
  BEGIN TRANSACTION
  DROP PROCEDURE dbo.xp_cmdshell;
  DROP PROCEDURE sys.xp_cmdshell;
  DROP PROCEDURE xp_cmdshell;
  ROLLBACK TRANSACTION
  To execute xp_cmdshell you need to have [CONTROL SERVER] permissions otherwise it won't work. Let's say I have a login which I grant exclusive permissions to execute xp_cmdshell it will fail!
  USE master;
  GO
  -- create the login and the user in master-database
  CREATE LOGIN test WITH PASSWORD = 'glmdpf12345', CHECK_POLICY = OFF, CHECK_EXPIRATION = OFF;
  CREATE USER test FROM LOGIN [Test];
  GO
  -- grant explicit permission to execute the xp_cmdshell
  GRANT EXECUTE ON sys.xp_cmdshell TO test;
  GO
  -- tryp to execute xp_cmdshell as test
  EXECUTE AS login = 'test'
  EXEC xp_cmdshell 'DIR C:';
  REVERT
  -- Housekeeping
  REVOKE EXECUTE ON sys.xp_cmdshell TO test;
  DROP USER 'test';
  DROP LOGIN 'test';
  As you can see from the above statement the login "Test" got exclusive permission to execute xp_cmdshell but the execution will fail with the following error message:
  The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
  The above error message is clear. Test is a "normal" user which has the permission to execute the proc BUT due to missing permissions to retrieve the information about the service account it fails!
  You have to grant SERVER CONTROL to the account.
  So - next step...
  What is your permission on server level?
  You can check your permissions by using the following statement:
  -- what are my permissions on server level
  -- check for CONTROL SERVER!
  SELECT * FROM sys.fn_my_permissions (NULL, 'SERVER') ORDER BY permission_name;
  -- what are my permissions for the object xp_cmdshell
  SELECT * FROM sys.fn_my_permissions('xp_cmdshell', 'OBJECT');
  Can you provide us with the results of the above query?
  BTW: xp_cmdshell is a well documented statement and official command which is fully supported by Microsoft. You can find all information about functionality and security of xp_cmdshell here:
  http://technet.microsoft.com/en-us/library/ms175046.aspx
  MCM - SQL Server 2008
  MCSE - SQL Server 2012
  db Berater GmbH
  SQL Server Blog (german only)