I have followed "How to schedule and automate backups of SQL Server databases in SQL Server Express" article to create backup a SQL Server Express database. Basically this creates a stored procedure and it is called by a .BAT file periodically by Task Scheduler. If destination is set to a local folder for example D:\Data it works fine, however I need to create backups on the folder \\Server\Folder I get access denied error.
User domain\myuser is always logged in. This user has write permission into folder \\Server\Folder. I tried adding user as Login and then tried to call stored procedure EXECUTE AS domain\myuser but it did not help.
I cannot create a network map because of limitations. Is there a workaround for backup into a network folder?
When I run SSMS and call the SP I get the following error. I logged in as domain\myuser user and opened SSMS. If I browse folder \\Server\Folder in Windows Explorer I can create files, so user domain\myuser has write permissions on the folder.
I navigated to your link you shared and read the following:
In the Enter the user name field, type a user name, and then type a password in the Enter the password field.
Note This user should at least be assigned the BackupOperator role at
SQL Server level if you are using one of the batch files in example 1,
3, or 4.
Are you specifying the domain administrator credentials here? i.e. The credentials for the network share?
You need to make sure that the account that the SQL Server service is using has the appropriera permissions on the share.
Related
Our business has just changed Active Directories and the domain changed, from "YMS" to "YMSNET". So I used to be able to log in with "YMS\tkol" and I can now log in with "YMSNET\tkol" (these usernames and domains are faked for the purpose of example), but when I log in as that now, I can't actually expand any of the databases or look at any of the tables, I can just see a list of the database names. When I try to expand a database in the UI it says "This database is not accessible (Object Explorer)."
Now I have another user, called "sqluser", and I keep trying to use that user to log in as well by changing the Authentication Method to SQL Server Authentication rather than Windows Authentication. But I get Microsoft SQL Server, Error: 4064
Now I know this sqluser user exists and the password is correct, because I can authenticate to the server and successfully interact with the tables from an external process on a separate computer on the same network (node.js, package mssql). And I used the query on the accepted answer on this question, and found my sqluser is there, with roles db_accessadmin, db_ddladmin, db_owner. And yet it still won't let me log in with that user in the SQL Server Management Studio UI
How can I get this working again and log in with my sqluser account? Or add the appropriate permissions for my YMSNET\tkol account?
--- edit ---
My first idea is that, because I can log into the UI with YMSNET\tkol, but I can interact with the databases externally with sqluser, that there is some query or command I can run with sqluser that will add permissions for YMSNET\tkol so that that user can now look at all the databases and tables. I don't know which commands I'd run for that.
It can be because your account's default database is mapped to some another db which is not available for you, for instance, you have no permissions there, or that database not exists anymore etc.
Your organization DBA can fix it by:
ALTER LOGIN [sqluser] WITH DEFAULT_DATABASE = [rightDB]
Default db name can be checked by:
select default_database_name from sys.server_principals
where name = 'sqluser'
This property can be overridden by opening "Options" of SSMS connection window and specifying it explicitly:
I have a (S:\) drive with permissions for only myself and the SYSTEM user.
I just downloaded SQL SERVER EXPRESS 2017, and when I go to create a new database, it cannot see that drive as a place to create the database.
I tried giving the Everyone group full permissions on the drive, and then it showed up as a place to make the new database.
I am wondering what user I need to actually give permissions too, as it is clearly not running under my user, since my user has full control on the drive, and it's not running as SYSTEM, since that user has full control of the drive. I don't want to give "Everyone" permissions to the drive.
Note: Doing a bit more experiments, after removing the Everyone permissions, I went looking through my users list (in the Security tab of the Drive properties), and the only user that looks to have anything to do with SQL is SQLServer2005SQLBrowserUser${myUserName}, but giving this user full control did not allow SSMS to see the drive again.
Run this query:
SELECT * FROM sys.dm_server_services
And you will see current available services on your SQL Server instance and the account mapped to each one. Add permissions to the one that's below the servicename: SQL Server (MSSQLSERVER), it will be most likely NT Service\MSSQLSERVER.
If you use Jobs on the Agent, you will need to give permissions to that account also.
We have a database which have different logins and database users. If login is not sysadmin, SSMS gives an error like below
C:\BackupShare
Cannot access the specified path or file on the server. Verify that you have the necessary security privileges and that the path or file exists.
If you know that the service account can access a specific file, type in the full path for the file in the File Name control in the Locate dialog box.
--
Concerns
We should not login as windows login, use sql login instead
We should not give sysadmin role to user.
I tried following ways but did not work
Giving all permissions to folder for NETWORKService, MSSQL$instance (sql server service user)
(https://msdn.microsoft.com/en-us/library/jj219062.aspx)
Giving all other roles to user(login) except sysadmin
Giving all permissions to user(login)
Want to do following things without any restriction with non-sysadmin role
Backup- restore
Attach - detach
Create new db etc
Variations to this have been asked. I have no problem searching a local directory with the below piece of code.
EXEC MASTER.sys.xp_dirtree 'C:\', 1, 1
When I switch the path to a network location the results are empty.
EXEC MASTER.sys.xp_dirtree '\\Server\Folder', 1, 1
I first thought maybe it was something to do with permissions. I added the SQL Server Service to the ACL list on the shared volume as well as the security group.
Any help or direction to point me in is greatly appreciated or even another way to get a list of files in a directory and sub directories.
[Edited]
The two things to look out for are:
Make certain that the Log On account for the SQL Server service (the service typically listed as "SQL Server (MSSQLSERVER)" in the Services list) has rights to that network share.
UPDATE
The problem ended up being that the O.P. was running the SQL Server service as a local system account. So, the O.P. created a domain account for SQL Server, assigned that new domain account as the Log On As account for the SQL Server service, and granted that domain account the proper NTFS permissions.
Please note that this might have also been fixable while keeping the SQL Service running as a local system account by adding the server itself that SQL Server is running on to the NTFS permissions. This should usually be possible by specifying the server name followed by a dollar sign ($). For example: MySqlServer01$. Of course, this then gives that NTFS permission to all services on that server that are running as a local system account, and this might not be desirable. Hence, it is still preferable to create a domain account for the SQL Server service to run as (which is a good practice in any case!).
It sounds like this has been done, so it should be tested by logging onto windows directly as that account and attempting to go to that specific network path.
Make sure that the Login in SQL Server that is executing xp_dirtree has "sysadmin" rights:
This can be done directly by adding the account to the sysadmin server role, or
Sign a stored procedure that runs xp_dirtree:
Create a certificate in [master]
Create a login based on that certificate
Add the certificate-based login to the sysadmin server role
Backup the certificate
Restore the certificate into whatever database has, or will have, the stored procedure that runs xp_dirtree
Sign the stored procedure that runs xp_dirtree, using ADD SIGNATURE and the certificate that was just restored
GRANT EXECUTE on that stored procedure to the user(s) and/or role(s) that should be executing this.
Just to have it stated, another option is to do away with xp_dirtree altogether and instead use SQLCLR. There is probably sample C# code on various blogs. There are also a few CodePlex projects that have file system functions and might also provide a pre-compiled assembly for those that don't want to deal with compiling. And, there is also the SQL# library that has several filesystem functions including File_GetDirectoryListing which is a TVF (meaning: you can use it in a SELECT statement with a WHERE condition rather than needing to dump all columns and all rows into a temp table first). It is also fully-streamed which means it is very fast, even for 100k or more files. Please note that the FILE_* functions are only in the Full version (i.e. not free) and I am the creator of SQL#, but it does handle this situation quite nicely.
i have this script:
BACKUP DATABASE timeclockplus TO DISK = 'C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Backup\backup.bak'
how do i know which username is executing it? the reason i ask is because i want to grant extra privelages to the current username so that instead of writing that backup folder i can write to a different folder
There is no context as such except for sa inside the DB engine.
Based on your recent questions, you mean external SQL Server context which will be the service account used (you can see it in Services.msc). So if you are using domain\Specialuser then you could permission domain\Specialuser on a folder.
However, SQL Server 2005 introduced some groups that should contain the service account specified at install time and these should be used for external (eg outside SQL Server) permissions
Some details in KB 283811 , but best seeing "Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts". The groups mentioned here are what you should permission on your desired folder.
Take a look at SUSER_SNAME().
(That page is a bit misleading, passing no param returns the current user - either an SQL Logon or a domain\user depending on the auth mode)