Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
RoyalSher
Yak Posting Veteran
95 Posts |
 Posted - 2003-10-14 : 09:23:19
|
| HiI have a situation here..I need to give a developer permissions to execute xp_cmdshell and as I did permit the userid... I get the following errorMsg 50001, Level 1, State 50001xpsql.cpp: Error 87 from GetProxyAccount on line 604On further digging I found that the userid need to be a sysadmin fixed role, but one can't give a developer a sysadmin account. Further, the userid can be given a proxy account and I need some clarifications to make..What is a Proxy Account ?What kind of permissions shd it have on OS / Sql Server ?And would this proxying let the developer anyway freak out with the DBA's stuff ?I need somebody's advice on this, Thanks in advance.RoyalSher.*********The world is the great gymnasium where we come to make ourselves strong. |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-10-14 : 12:29:06
|
| A user does not need to be a member of the sysadmin role in order to execute xp_cmdshell. The user just needs exec permissions on it. I am not sure what the error message means and I couldn't find any good information about it when I looked it up.Is the MSSQLSERVER service using the Local System account? If so, that might be your problem. The recommendation is to use an account that has local admin privileges on the box.Granting xp_cmdshell is giving the user a ton of privileges and it doesn't restrict itself to SQL Server. xp_cmdshell allows the user to run any commands that can be run at a cmd window. If the user is smart enough, then he/she could really trash the server with xp_cmdshell.I would never grant this permission in production except to an application account and only if the application needs it. Granting it in development might be necessary.Tara |
 |
|
|
RoyalSher
Yak Posting Veteran
95 Posts |
Posted - 2003-10-14 : 13:36:16
|
| Tara, thanks for the i/p you have given. The permission is only in Dev. ennv., and about the proxy account to be set for xp_cmdshell for a non-sysadmin acct. ? and can you refer me anything else ?RoyalSher.*********The world is the great gymnasium where we come to make ourselves strong. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-10-14 : 13:38:09
|
| Just run this:USE MASTERGOGRANT EXEC ON xp_cmdshell TO TheUserChange TheUser to the name of the user that needs this access. TheUser could also be a role if you need to grant this to multiple people.Tara |
|
|
|
RoyalSher
Yak Posting Veteran
95 Posts |
Posted - 2003-10-14 : 13:38:44
|
| Tara,I think I had some confusing msgs in my prev. msg, what i was trying to say was that i need to give permissions to exec. xp_cmdshell only dev. environment & my other query goes better like thisand about the proxy account to be set for xp_cmdshell for a non-sysadmin acct. to execute, can you refer me anything else ?RoyalSher.*********The world is the great gymnasium where we come to make ourselves strong. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-10-14 : 13:44:21
|
Yeah, Books Online has a lot of information about xp_cmdshell:quote:
PermissionsExecute permissions for xp_cmdshell default to members of the sysadmin fixed server role, but can be granted to other users. Important If you choose to use a Windows NT account that is not a member of the local administrator's group for the MSSQLServer service, users who are not members of the sysadmin fixed server role cannot execute xp_cmdshell.
Is that what you needed? If not, then I don't understand the question.Tara |
|
|
|
|
|
|
|
|
Proxy Account Problem