I have the ff: scenario,
I have two servers, 1 outside(ServerB), 1 inside a domain(ServerA)
ServerA has an sp that uses xp_cmdshell to call a batch file from ServerB
Inside the batch file is an "XCOPY", when I execute the stored procedure I'm getting an "ACCESS IS DENIED" message,
I know it has something to do with permission but who's permission, where do I start?
You should check the rights of the account used for the SQL Server service. You can see the name of this account (or change it to annother account) using the SQL Server Configuration Manager.
Related
I am using SQL Server 2012 and just logged in using SQL Server authentication. When I try to create a database in the SQL Server authentication mode, I get this error:
I tried to fix it by allowing privileges to it but all gone in waste. It also doesn't allow me alter privileges of User in the form of granting the access of dbcreator but also went in waste. Please help me anyone here.
Thanks in advance.
cannot access the specified path or file on the server, verify that
you have the necessary security privileges and that the path or file
exists
This issue related to a service account of the data engine. It has nothing to do with your SQL login and related permissions, like dbcreator.
Such a situation can be caused by changing the default data folder to a directory where the SQL Server service account does not enough permissions
So, make sure that the service account has FULL permissions on a folder where the database files to be created.
The service account can be checked/changed using SQL Server Configuration Manager:
go to SQL server configuration --> right click on MSSQLSERVER --> Properties --> built-in --> system
and then restart the instance.
this has worked for me.
We are running SQL Server 2014. We want to use a gMSA as the proxy account for xp_cmdshell.
I tried running the following:
EXEC sys.sp_xp_cmdshell_proxy_account 'gmsaNameGoesHere$', ''
However, it expects a password.
I tried running the following:
CREATE CREDENTIAL ##xp_cmdshell_proxy_account## WITH IDENTITY = 'gmsaNameGoesHere$'
It runs! However, when the user tries to run xp_cmdshell via the proxy account, they're told:
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 3 The
xp_cmdshell proxy account information cannot be retrieved or is
invalid. Verify that the '##xp_cmdshell_proxy_account##' credential
exists and contains valid information.
Is it possible to use a gMSA as the proxy account for xp_cmdshell in SQL Server 2014? If so, how do I set it up as the proxy account?
Thanks!
I wonder if I can assign xp_cmdshell_proxy_account to [NT Authority\Network Service]. Basically, I want network users to execute xp_cmdshell without giving them sysadmin role.
I tried
EXEC sp_xp_cmdshell_proxy_account [NT Authority\Network Service], 'password'
but I got error saying :An error occurred during the execution of sp_xp_cmdshell_proxy_account. Possible reasons: the provided account was invalid or the '##xp_cmdshell_proxy_account##' credential could not be created. Error code: '1326'.
I tried to run sql server as administrator too, but I got the same error.
The only thing I do know on this, is what I've done in the past on this.
I remember that it is possible to run xp_cmdshell using whatever valid system credentials desirable.
I also remember that I needed to have xp_cmdshell run windows scripts to get some files from a network location, such as "\\somePC\c$\somefolder\*.*" and to do this I needed the SQL Server windows service, to have it run by a valid account other than Network Service or Local Service etc. It needed a normal let's say, account. Otherwise it wouldn't work.
I am unable to grant access to a newly restored database using sp_grantdbaccess. I am trying to do this via dynamic sql like below.
DECLARE #grant_access nvarchar(500)
SET #grant_access = 'EXEC ' + #new_db_name + '.dbo.sp_grantdbaccess ''IIS APPPOOL\myApp'''
EXEC sp_executesql #grant_access
I get the below error back trying to run this from a sproc. Any ideas on how I can grant permission for the app to call sp_grantdbaccess etc? I guess I am needing permission to give permission...
Error restore_backup restore_new_configDBThe server principal "IIS
APPPOOL\myApp" is not able to access the database "new_db_name" under
the current security context
Based on the error message it looks like you are trying to grant access to IIS APPPOOL\myApp using the security context IIS APPPOOL\myApp, but IIS APPPOOL\myApp doesn't have the access rights to the db to grant access rights to itself. I think this is akin to me trying to grant myself access to my neighbors house, but I don't have any authority to do so.
Depending on what type of security policies you are working under, I would either run the app pool under an account that has the greater privileges through integrated auth (but this might negate your need to grant privileges), or execute these SQL statements using a local SQL account with the necessary privileges to the database. In these cases, it would be like asking my neighbor (elevated access) to let me (IIS APPPOOL\myApp) in.
If you think it should work because IIS APPPOOL\myApp had access to the DB prior to being backed up, could this be a problem with IIS APPPOOL\myApp being an orphaned user? See http://msdn.microsoft.com/en-us/library/ms175475.aspx But with this case, you still might run into the above scenario trying to fix the orphaned user.
I am trying to access a folder/directory using 'EXEC MASTER..XP_CMDSHELL' it works for the local file/folder, how ever it can not access the folder over network.
EXEC MASTER..XP_CMDSHELL 'c:\Images' --Works fine
EXEC MASTER..XP_CMDSHELL '\\IPaddress\Images' -- returns "Access is denied."
Please note that i can access the network location but not using sql server.
Sql server is running under Winodws Authentication mode.
Sql server is using 'nt authority\network service' account to access the remote Folder.
Regards
If you run xp_cmdshell 'whoami.exe' it will tell you the account the command is running under. If this account doesn't have permissions on the network, you'll get the error you are seeing.
Check the SQL documentation for changing this account/permissions.
When you have to put file, like BCP result, or a backup in a remote drive, just map this drive into windows don't work, it must be mapped on SQL Server to!, to do this, try some link like this:
exec xp_cmdshell 'net use p:\ \Server\Folder\Folder\Folder\ /Domain\Login /Password'
Reference : https://social.msdn.microsoft.com/Forums/en-US/6eca2d62-eb86-4f23-9b86-6f917017f50c/bcp-utility-via-xpcmdshell-and-network-drive?forum=sqlsecurity