how to log user getting access to path denied on windows server - sql-server

I have an SSIS package that fails on a step that copies a file from server 1 to another server 2. I get
access to path \server2\f$\dir1\dir2\dir3\file.mdb denied
I have give "everyone" all access on the dir3 subdirectory and still it does not work.
I'd like to see what user the system is trying to use to copy the file and I have looked at the Security error logs but can not find the attempted log in.
How can get the windows to log the user?

If you are running the SSIS package from SQL Server, then you have to give permission to the SQL Database Engine Service account NT SERVICE\MSSQL$<Instance Name> (Where <Instance Name> should be replaced by the installed instance name):
Configure File System Permissions for Database Engine Access

Related

SSIS job is not able to access the Azure File share path

I am testing the azure file share with SSIS hosted on Azure VM. However, I am facing an issue while running the job.
Package execution through Visual Studio is successful
Package execution through catalog also is successful
Package execution through the Job is FAILING with the error The File Name "\.windows.net<FolderName>\file.csv" specified in the connection was not valid
I tried running the job with the proxy account having access to the Azure share folder (Same account used to run the package), however it failed with the same error.
Both UNC and as a mapped drive was tested.
Any suggestion or advice on this will be highly appreciated.
Thanks in advance.
Try giving read/write permissions (For the Azure share folder) to the SQL Database Engine Service account NT SERVICE\MSSQL$<Instance Name> and NT SERVICE\SQLSERVERAGENT (Where <Instance Name> should be replaced by the installed instance name):
Configure File System Permissions for Database Engine Access
Also, feel free to read more about SQL Server service accounts in the following documentation:
Configure Windows Service Accounts and Permissions

Using AWS FSx file share for SQL Server Backup Directory

I'm trying to use an FSx file share as the Backup directory when installing SQL Server Express on my EC2 instance, but the SQL installer fails to use the UNC path to the FSx file share due to a SeSecurityPrivilege problem.
I can access the file share on FSx with full access from the EC2 instance using File Explorer, but do not know how to set the SeSecurityPrivilege as I don't think it is possible to access the File Server for the FSx share as proposed in the error message from the SQL installer below.
Any ideas would be appreciated?
The error is this:
"SQL Server setup account does not have the SeSecurityPrivilege privilege on the specified file server in the path . This privilege is needed in folder security setting action of SQL Server setup program. To grant this privilege, use the Local Security Policy console on this file server to add SQL Server setup account to "Manage auditing and security log" policy. This setting is available in the "User Rights Assignments" section under Local Policies in the Local Security Policy console."
The error indicates that the account used to install SQL server doesn't have the "SeSecurityPrivilege" permission on the FSX servers which is required to perform the installation.
By default, the FSx Delegated Administrators Group has this permission.
You need to add your user account to that group on your FSx Windows File System along with Full control on the share and full control on the ntfs.
The problem is that you connected to this machine with the windows/machine administrative. you should connect to this machine with the Active directory administrative user and follow the below document.
https://aws.amazon.com/blogs/storage/simplify-your-microsoft-sql-server-high-availability-deployments-using-amazon-fsx-for-windows-file-server/

SSIS cannot access folder which everyone has access to

So we have a network address lets call it the Z drive that everyone has access to.
By everyone I mean the entire organization. For completeness, I actually went ahead and gave access to the actual SQL Server Agent.
The package runs fine on dev, but always fails with
The directory "Z:\SSIS_Test" does not exist
At first, I thought it was an issue of access. But how can't the SQL Server Agent access an everyone drive?
Also, I went in and run the package on the server myself as the caller and it still failed with same error. What gives? Am I not getting something?
Possible solutions
(1) Granting service accounts
Try giving read/write permissions to the SQL Database Engine Service account NT SERVICE\MSSQL$<Instance Name> and NT SERVICE\SQLSERVERAGENT (Where <Instance Name> should be replaced by the installed instance name):
Configure File System Permissions for Database Engine Access
I was facing the same issue, it looks like the "everyone" permission does not take into consideration service accounts (I am not sure). The issue was solved after granting the database engine and SQL agent service accounts. Also feel free to read more about SQL Server service account in the following documentation:
Configure Windows Service Accounts and Permissions
(2) Mapping drive within SQL Server
You can refer to the following article for more information:
Make Network Path Visible For SQL Server Backup and Restore in SSMS
Or you can try to use the full UNC path instead of the mapped drive.
If these solutions didn't worked, there are many other suggestions listed in the following answer, you can check it for more information:
SSIS File System Task Error while copying files between servers

TFS 2015 - TF401002: The SQL Server Database Engine failed to save the database backup to path

When attempting to create scheduled backups for TFS 2015, I received the following message: "TF401002: The SQL Server Database Engine failed to save the database backup to path \{share}\d$\TFSBackups. Please grant SQL service account read/write access to that folder."
I can't seem to find a solution that will work for me. The 'TFSBackups' folder is shared with full permissions for the NETWORK SERVICE and MSSQLSERVER.
What haven't I done?
Put the comment from Panagiotis Kanavos in the answer.
The error message is crystal clear and has nothing to do with TFS.
That account doesn't have permission to write to that folder.
The path is NOT a path to a valid share, it uses the administrative
endpoint d$ to directly access a physical drive. Only administrators
are allowed to use administrative endpoints.
Just share TFSBackups, set the proper permissions and use the share's
path, eg \\MyStorageMachine\TFSBackups
Normally SQL Service is running at user NT Authority/SQLAgent or similar(these users doesn't have authorization to tfs network folder). Go services and change owner of service to an account which has access to tfs folder.
I had the same problem with TFS, You must be setting up TFS Backups using TFS Admin console.
It is actually the SQL service which write and read backup files to the said location.
Just make sure you grant access to the SQL Service accounts.
If you're on Domain pay attention to Domain User Name.
In my case, SQL Server engine was executed by domain user User#Domain.com but my true permission was for Domain\User so fixing user Logon as in SQL engine saved my day.
Most of the time NT Authority doesn't have write permission on network path so, you need to change Azure or TFS owner user to valid network user.

File sharing with a specific user in database in SQL Server

I have created a login in SQL Server. The login has only read-only permissions. Database role membership for this user are db_backupoperator, db_datareader, db_denydatawriter and public. I gave him permissions to make backups, but when I try to access folder directory of the system it shows an error like in the picture below.
How can I share a specific folder to this Login in order to save backups to this folder?
Here is the error:
The user logs in to the SQL Server instance via a SQL Server logon, and asks for a backup to be made.
The SQL Server process, running under whatever Windows Identity it
is (LOCAL SYSTEM on my dev machine) makes the backup.
The user who asked for the backup in step 1 uses Windows Explorer to
check the backup folder. Note that Windows Explorer is using his
Windows Identity (NOT his SQL Logon) to check whether or not he has
access to that folder
Windows Explorer decides that this Windows user does not have access and
displays the message you show above.
To change the outcome, you need to give the Windows Logon that the user is using access to the backup folder. To do this, log on as an Admin, right click on the folder in explorer and select the Security tab. Add the Windows Logon that the backup person uses and give read access to the folder.
Just to clear, the backups are likely being done properly (absent any other data), but his WINDOWS logon is not allowed to see them.

Resources