| Author |
Topic |
|
Jay99
468 Posts |
 Posted - 2002-04-03 : 10:48:49
|
| My clients network team think its a security risk for the DBAs to have physical access to the database servers. I would like to know under which context the Server and Agent services run (and am tired of trying to interrupt their Quake tournament). I have sa and xp_cmdshell, but I can't get to the console. Can I write a proc to run a SQL DMO method? Is there an undocumented xproc? Maybe some command line trickery?Thanks . . .Jay<O>Edited by - Jay99 on 04/03/2002 10:52:16 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-04-03 : 10:54:04
|
| From EM, can't you look at the service accounts under the properties tab? |
 |
|
|
izaltsman
A custom title
1139 Posts |
Posted - 2002-04-03 : 10:56:35
|
I believe if you simply issue SET command (with no params) via xp_cmdshell it'll bring back a bunch of information, among which you'll find the username.<edit>Ooops...  Or you could could look at a service account in the EM like rob says... Today just isn't my day...</edit>---------------Strong SQL Developer wanted in the Boston area. Please e-mail if interested.Edited by - izaltsman on 04/03/2002 10:58:40 |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-04-03 : 11:05:18
|
| Or you could use the SET command like Ilya suggests because it will return more info than the EM approach would. |
|
|
|
Jay99
468 Posts |
Posted - 2002-04-03 : 11:21:07
|
quote:
COMPUTERNAME=XXXXXXComSpec=C:\WINNT\system32\cmd.exeINCLUDE=C:\Program Files\Mts\IncludeLIB=C:\Program Files\Mts\LibNUMBER_OF_PROCESSORS=3OS=Windows_NTOs2LibPath=C:\WINNT\system32\os2\dll;Path=C:\Perl\bin;C:\WINNT\system32;C:\WINNT;C:\MSSQL7\BINN;e:\prod-data\log;C:\Program Files\MtsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 3, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0703PROMPT=$P$GSystemDrive=C:SystemRoot=C:\WINNTUSERPROFILE=C:\WINNT\Profiles\mssqlengwindir=C:\WINNT
since there is no USERDOMAIN and USERNAME does that mean is is running as a localsystem?Jay<O> |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-04-03 : 11:28:08
|
| It looks like it's local, but double-check it through EM, it will list the domain if it's a domain account. |
|
|
|
izaltsman
A custom title
1139 Posts |
Posted - 2002-04-03 : 11:29:04
|
Yep. It's running under Localsystem.Sniped!!! Again!!!  ---------------Strong SQL Developer wanted in the Boston area. Please e-mail if interested.Edited by - izaltsman on 04/03/2002 11:29:42 |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-04-03 : 11:32:24
|
quote:
Sniped!!! Again!!!
I'm telling ya, I've got bullet wounds on every part of my body! It's dangerous on this site!Hey Jay, tell your Quake-heads if they want to see some REAL sniping.... |
|
|
|
Jay99
468 Posts |
Posted - 2002-04-03 : 11:36:08
|
| I have spend the last 30 minutes trying to get an .gif onto geocities to link to, but I can't get the upload wizard to work . . .anyway, The image I am trying to post is the security tab of the sql server properties window of the server. In the Startup Service Account neither the System Account or This Account radio buttons paint as selected and they are both it is all grayed out i.e. non editable . . . That is what was throwing me off . . .ThanksJay<O> |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-04-03 : 11:41:29
|
| Can you register the SQL Server under sa, or a sysadmin account? |
|
|
|
Jay99
468 Posts |
Posted - 2002-04-03 : 12:01:12
|
quote:
Can you register the SQL Server under sa, or a sysadmin account?
it is (as sa) (hey that's one of them pallendrom thingies)Jay<O> |
|
|
|
efelito
Constraint Violating Yak Guru
478 Posts |
Posted - 2002-04-03 : 15:36:46
|
| I manage a couple of servers where the Service account block is completely greyed out. I didn't do much research into it, but I think that happens when the account you are registered with doesn't have local admin rights on the server. I think its specifically looking for the right to edit the registry on the server.Jeff BanschbachConsultant, MCDBA |
|
|
|
Jay99
468 Posts |
Posted - 2002-04-03 : 15:41:13
|
That makes sense or at least is quite possible. I don't even have admin rights on my desktop machine . . . (<shhhhh>net localgroup administrators domain/usernam \add</shhhh>  )Jay<O> |
|
|
|
|
MSSQLSERVER service account