Proxy Account Problem | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Proxy Account Problem

Hi I have a situation here.. I need to give a developer permissions to execute xp_cmdshell and as I did permit the userid… I get the following error Msg 50001, Level 1, State 50001
xpsql.cpp: Error 87 from GetProxyAccount on line 604 On further digging I found that the userid need to be a sysadmin fixed role, but one can’t give a developer a sysadmin account. Further, the userid can be given a proxy account and I need some clarifications to make.. What is a Proxy Account ?
What kind of permissions shd it have on OS / Sql Server ?
And would this proxying let the developer anyway freak out with the DBA’s stuff ? I need somebody’s advice on this, Thanks in advance.
RoyalSher.
*********
The world is the great gymnasium where we come to make ourselves strong.
I found the following in BOL: "By default, only members of the sysadmin fixed server role can execute this extended stored procedure. You may, however, grant other users permission to execute this stored procedure. When xp_cmdshell is invoked by a user who is a member of the sysadmin fixed server role, xp_cmdshell will be executed under the security context in which the SQL Server service is running. When the user is not a member of the sysadmin group, xp_cmdshell will impersonate the SQL Server Agent proxy account, which is specified using xp_sqlagent_proxy_account. If the proxy account is not available, xp_cmdshell will fail. This is true only for Microsoft® Windows NT® 4.0 and Windows 2000. On Windows 9.x, there is no impersonation and xp_cmdshell is always executed under the security context of the Windows 9.x user who started SQL Server." Hope help.
Luis Martin …Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true.
Bertrand Russell
Thanks for the lead,Luis. I was looking more for a proxy account which need to be set up and the acct’s role in sql / os for trouble shooting the problem. RoyalSher.
*********
The world is the great gymnasium where we come to make ourselves strong.
Hi there, you can use xp_sqlagent_proxy_account to define the NT account that SQL will use to execute xp_cmdshell for non-sysadmins (seehttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_xp_aa-sz_8sdm.asp for more details) Then the NT privileges would need to be set so that that account had the correct rights Cheers
Twan
Ensure ‘Only users with sysadmin privleges …’ box is unchecked from EM –> Management –> SQLAgent —> Properties –> Job system.
_________
Satya SKJ
Moderator
SQL-Server-Performance.Com

]]>