I am getting access denied errors when I move files from server1 to server2. Please advise how I should get past this error in my tsql script.
I used xp_cmdshell 'move d:\files \server2'
tsql uses the permissions of the account used to start the SQL Server instance. To see the account used, open the services control panel, locate the SQL Server service, goto properties and then logon tab. You probably need to change this to an account that has the appropriate permissions.
Related
I have followed "How to schedule and automate backups of SQL Server databases in SQL Server Express" article to create backup a SQL Server Express database. Basically this creates a stored procedure and it is called by a .BAT file periodically by Task Scheduler. If destination is set to a local folder for example D:\Data it works fine, however I need to create backups on the folder \\Server\Folder I get access denied error.
User domain\myuser is always logged in. This user has write permission into folder \\Server\Folder. I tried adding user as Login and then tried to call stored procedure EXECUTE AS domain\myuser but it did not help.
I cannot create a network map because of limitations. Is there a workaround for backup into a network folder?
When I run SSMS and call the SP I get the following error. I logged in as domain\myuser user and opened SSMS. If I browse folder \\Server\Folder in Windows Explorer I can create files, so user domain\myuser has write permissions on the folder.
I navigated to your link you shared and read the following:
In the Enter the user name field, type a user name, and then type a password in the Enter the password field.
Note This user should at least be assigned the BackupOperator role at
SQL Server level if you are using one of the batch files in example 1,
3, or 4.
Are you specifying the domain administrator credentials here? i.e. The credentials for the network share?
You need to make sure that the account that the SQL Server service is using has the appropriera permissions on the share.
I want to write in a shared folder inside my network through an T-SQL procedure but when I try to write, it says permission denied. I tried to grant full permission to everyone and it worked. I don't want to leave it like that though because that would just be another vulnerability in my companies network. What user does T-SQL use? And do you maybe know a way to write without granting everyone permission?
You need to grant the permissions to the account used by the windows service. You can find out which account this is in 2 ways.
SQL Configuration Manager
Open up SQL Configuration Manager on your server, and you see this. The account name you want I have highlighted in a red ellipse.
Command line
Use the command sc to get details of windows services. If your SQL Server instance is the default instance on 'Servername' use
sc \\Servername qc MSSQLSERVER
If you SQL Server instance is Servername\InstanceName use
sc \\Servername qc MSSQL$InstanceName
The account you want is listed as the SERVICE_START_NAME which should be on the last line.
I don't know if it should be like this. When I'm trying to do anything with xp_cmdshell procedure it almost every time gives me Access Denied.
For example I can't create new .txt file, can't create new user, nothing. I'm logged in with windows administrator user.
Is there any way to run this procedure with administrator privileges?
XP_CmdShell will execute under the context of the Service Account running the SQL Server Service. The service account needs the permissions to the external resources.
Could I point out however, that enabling xp_cmdshell is not a good idea. It opens lots of security holes. For example, if your app has an unknown volnerability to SQL injection, a hacker could do all sorts on your network that you rather avoid.
If you must use external resources then better approaches would include a CLR procedure or calling a Job that executes a CMDEXEC step.
xp_cmdshell executed by a windows login is executing under an impersonation context. as such any access of a remote resource (eg. access a file on a share, an operation on AD like adding an user) will fall under the constrained delegation restrictions, likely resulting in a access denied because constrained delegation is probably not to be configured on all those resources.
i have this script:
BACKUP DATABASE timeclockplus TO DISK = 'C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Backup\backup.bak'
how do i know which username is executing it? the reason i ask is because i want to grant extra privelages to the current username so that instead of writing that backup folder i can write to a different folder
There is no context as such except for sa inside the DB engine.
Based on your recent questions, you mean external SQL Server context which will be the service account used (you can see it in Services.msc). So if you are using domain\Specialuser then you could permission domain\Specialuser on a folder.
However, SQL Server 2005 introduced some groups that should contain the service account specified at install time and these should be used for external (eg outside SQL Server) permissions
Some details in KB 283811 , but best seeing "Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts". The groups mentioned here are what you should permission on your desired folder.
Take a look at SUSER_SNAME().
(That page is a bit misleading, passing no param returns the current user - either an SQL Logon or a domain\user depending on the auth mode)
I'm logging in to create a new database from CMD through sqlcmd with SA account. Its response is a message: CREATE DATABASE permission denied in database 'master'.
I'm using Windows server 2003 and SQL 2008. Please help me. Thanks in advance.
It doesn't sound like you're actually using the sa account, or else perhaps you haven't set up your service account properly using SQL config mgr. If you used Computer Manager | Services, then the service might not have permission to create the database files.
...Run As Administrator should do the trick.
Typically the user you're using to run the SQL Server service will not have access to certain folders, which is likely why you're getting this error.
Consider one of these alternatives:
change the credentials used for the service (ick!)
use runas /u:... or Run as...
add permission for the service to access those folders
move the database to a location that the service can access
I would check whether the user you are using indeed has CREATE DATABASE permission though. You can check what server roles it belongs to, because it seems it is not a sysadmin role.
You can use this query for example.
select suser_name(role_principal_id) [login ...],
suser_name(member_principal_id) [... belongs to]
from sys.server_role_members
Regards
Piotr