Reset proxy and the SQLAgentCmdExec account (264155)


The information in this article applies to:

  • Microsoft SQL Server 7.0
This article was previously published under Q264155

SUMMARY

When you click the Reset Proxy Account button in the Job System tab of the SQL Server Agent Properties, the SQLAgentCmdExec account is re-created with the default rights the account received when SQL Server was first installed.

MORE INFORMATION

When you click the Reset Proxy Account button, the SQLAgentCmdExec account is dropped and re-created as part of the users group with the following rights:

  • Log on locally.

  • Shut down the system.

  • Logon as a batch job.
You can use Reset Proxy Account to reset the rights for the SQLAgentCmdExec account to the default values.

Similarly, the Reset Proxy Password button resets the password for the SQLAgentCmdExec account.

NOTES:
  • The SQLAgentCmdExec account may not be created if you click Reset Proxy Account when you are logged in as a user who does not have sufficient privileges to create an account.

  • The password is randomly generated when the account is created. The password may generate an error message if the computer has strict password policies and the new password does not meet the password policy. If you then change the password by using the User Manager, SQL Server assumes that this account has been tampered with and displays this error message:
    SQLAgentCmdExec account does not exist or the password is wrong.
  • When the SQLAgentCmdExec account is deleted by pressing Reset Proxy, the user rights screen may show an entry as Account Deleted for each of the rights that have been granted to that account. This behavior is by default. This behavior does not affect any functionality.

  • SQL Server 2000 does not use the SQLAgentCmdExec account. SQL Server uses a domain account for non-sysadmin jobs. The SQLAgentCmdExec account is no longer created in SQL Server 2000. When you click Reset Proxy Account in SQL Server 2000, a screen opens in which you can edit the Domain Account.

SQLAgentCmdExec account usage with xp_cmdshell

There are situations where you may add additional rights to the SQLAgentCmdExec account. One common situation in which you may want to add additional rights follows.

SQL Server 2000 Books Online recommends that you use the same Microsoft Windows NT domain account for both services, and that you make that account a member of the local administrator's group. This means that no special permissions need to be added to the account. This is not a security hole because any user who does not have sysadmin privileges in SQL Server executes xp_cmdshell in the context of another local account, SQLAgentCmdExec, and not the SQL Server logon account. Therefore, you can set permissions on the SQLAgentCmdExec account accordingly. To run xp_cmdshell for a non-system administrator user, you must grant the following rights.

MSSQLServer and SQLServerAgent Services
  • Act as part of the Operating System.
  • Increase Quotas.
  • Replace a process level token.
  • Log on as a batch job.
SQLAgentCmdExec Account
  • Log on as a batch job.
NOTE: You must restart the entire server, not just the SQL Services, in order for any changes made to user rights permissions to take effect.

SQLAgentCmdExec on a cluster

For information about setting up SQLAgentCmdExec in a clustered environment, refer to the following article in the Microsoft Knowledge Base:

248407 Utilizing xp_cmdshell with non-sysadmin accounts in a clustered environment


How to assign user rights to an account in Microsoft Windows NT 4.0 and in Microsoft Windows 2000

To assign user rights to an account in Windows NT 4.0, use these steps:
  1. On the Taskbar, click Start, point to Programs, point to Administrative Tools (Common), and then click User Manager for Domains.
  2. In the User Manager dialog box, from the Policies menu, click User Rights. This opens the User Rights Policy dialog box.
  3. In the Right drop-down combo box, select the right that you want to assign. If you want to add an advanced user right, select the Show Advanced User Rights check box. Click Add. The Add Users and Groups dialog box opens.
  4. The Add Users and Groups dialog box displays the user accounts. Select the user account to which you want to assign the right, and then click Add. Click OK to exit the dialog box.
To assign user rights to an account in Windows 2000, use these steps:
  1. On the Taskbar, click Start, point to Settings, and then click Control Panel.
  2. In the Control Panel dialog box, double-click Administrative Tools.
  3. Double-click Local Security Policy, which opens the Local Security Settings dialog box.
  4. Expand Local Policies, and then click User Rights Assignment.
  5. In the details pane, under Policy, double-click the right that you want to assign.
  6. In the dialog box that opens, click Add to select and add the user.

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

248391 Error 1314 raised by xp_cmdshell when executed as non-SA user

249294 FIX: Password fails to meet password policy requirements

Modification Type:MinorLast Reviewed:9/22/2006
Keywords:kbinfo KB264155
©2004 Microsoft Corporation. All rights reserved.