In SQL Server 2000, a domain user cannot run the xp_cmdshell extended stored procedure even when the user has permissions (833559)
The information in this article applies to:
- Microsoft SQL Server 2000 (all editions)
Bug #: 470553 (SQL Server 8.0)
SYMPTOMSIf you use a
domain user account that has the "Act as part of operating system" and the
"Replace a process level token" permissions that are described in the "Setting
up Windows Services Accounts" topic to run the Microsoft SQL Server service, you may
receive the following error message when you try to run the xp_cmdshell extended stored procedure: Msg 50001,
Level 1, State 50001 xpsql.cpp: Error 997 from GetProxyAccount on line
604
MORE INFORMATIONDo not allow the users who are not members of the sysadmin fixed server role to run the xp_cmdshell extended stored procedure. However, if you have to allow the non-sysadmin SQL Server users to run the xp_cmdshell extended stored procedure, the Windows service accounts that are
configured for SQL Server must be included as members of the Administrators
group on the computer that is running SQL Server.
In SQL Server 2000,
if you have to allow the non-sysadmin SQL Server users to run the xp_cmdshell extended stored procedure, you must configure the proxy account.
When SQL Server executes jobs or commands for users who are not members of the sysadmin fixed server role, the SQL Server Agent and the xp_cmdshell extended stored procedure use the proxy account. The Windows
security credentials for the proxy account are stored in the Local Security
Authority (LSA) Secrets database, and only the Windows Administrators can
access the information. Therefore, if the domain user account is not a member
of the local administrator group, the user cannot store or retrieve the Windows
security credentials to log on as the proxy account. Therefore, the xp_cmdshell extended stored procedure fails, and the user receives the error
message that is described in the "Symptoms" section of this
article.
Modification Type: | Major | Last Reviewed: | 4/22/2005 |
---|
Keywords: | kbAuthentication kbService kbServer kbDatabase kbStoredProc kberrmsg kbSysAdmin kbUser kbSecurity kbdocerr kbbug KB833559 kbAudDeveloper |
---|
|