I did an install of SQL SErver 2008 and the client wanted to have the data file at the root of the hard disk, and the log file at the root of another hard disk.
Prior to me doing install I could browse those harddisks because I am a member of the local admins. After the install I got permission denied.
To get around this, I had to grant myself the ability to take ownership of hard disks, which I went to security and set myself as the owner, and then give myself specific rights to each of the harddisks, even though there was local admins already assigned the rights to do everything.
So is there something I don't know about installing sql server data directories to the root directory that affects the permissions? There were files there before and after the install.
It seems to be done to prevent data and log files from being modified by users. Details are in the following article from MSDN:
Securing Data and Log Files
Related
I have a network folder and two machine accounts, node1$ and node2$, both of them having full control permission on the folder.
I log in a SQL Server instance in the node1 machine and back up a SQL Server certificate on the network folder, which generates a crt and a pvk files.
Then I log in node2 machine and try to restore the certificate in another SQL Server instance. But I can't because node2$ has no permissions on the requested files .crt and .pvk.
Even more, if I check the created files, the very node$1 machine account has no explicit permissions on these files. Instead, I find an "owner rights" ACE.
So, the files don't seem to inherit the permissions that node1$ and node2$ have on the folder.
This issue doesn't occur with other kind of files.
I can solve this by manually assigning explicit permissions on the files to node2$.
But my question is: why .crt and .pvk files don't inherit the permissions as other types of file do?
The documentation explains it:
When performing a backup, the files will be ACLd to the service account of the SQL Server instance. If you need to restore the certificate to a server running under a different account, you will need to adjust the permissions on the files so that they are able to be read by the new account.
As you already figured out: inheritance is disabled because the T-SQL command BACKUP CERTIFICATE explicitly removes all permissions but for the service account.
On Ubuntu 17.04, I have a .bak file in /var/opt/mssql/backup/ that I am trying to restore to a separate partition because the partition I have SQL Server installed on does not have enough room for the database to be restored to.
I am getting an error like the following: The operating system returned the error '5(Access is denied.)' while attempting 'RestoreContainer::ValidateTargetForCreation' on '/media/<my-user-name>/<some-folder>/<mdf-file>.mdf'.
I've tried to use chmod and chown to change the permissions of that folder on the second partition, but I'm not getting it quite right because I still get the error.
What user is trying to write to that folder in the second partition?
How do I get that user account permissions to successfully restore the database to that folder?
I had this second hard drive connected via a caddy and was able to perform this task no problem. But as soon as I installed the ssd internally, Ubuntu has not allowed whatever user account I'm using in the SQL Server CLI for it this time.
Thanks!
Update
I changed the owner of the second partition/ssd to mssql and now I have permission to restore the database to this location. I would assume that if the owner of that whole ssd is mssql, I might have other permission issues down the road using this ssd for other things. Is there a way to configure this so that my personal user account as well as mssql has permissions to this folder enough to own it? I don't think two different accounts can own a folder, but is there a way to permit multiple accounts with sufficient access to perform these actions?
I won't pretend to be knowledgeable about this, but I had a permissions issue while trying to restore a .bak that was on a network vm to my local device, it worked when I added it to a .zip with 7-share, then copied it to the location I wanted and extracted it.
I had the permissions issue when I tried to move it without zipping, and as far as I remember I still had this issue when I used send to compressed (zipped) folder. I'm not sure why, maybe someone else can elaborate
I solve the problem by deleting the old database, creating a new one and restoring the backup to the new one.
My problem was probably cause by the fact that I had created the database in evalutation edition of MS SQL Server and I wanted to rewrite it by backup in new instalation of developer edition.
I'm not an expert with TSQL so have patience with me please. So recently I was doing a project in TSQL on my local server using SQL Server 2008 R2 Management Studio. I was reading my files from a temp file on my C: drive and bulk inserting them into tables at the time.
Then I went and moved to a regular server instead of my local server on my machine.
It took me a bit to realize that I no longer had access to my local machine folders and files, and that is causing me issues.
I've read that one solution is to create a mapped drive on the server, but this is not an option for me.
So my question is what are other options for me? Could I use UNC paths to access my files or anything else?
The files I want to access are regular text files that are comma-delimited and newline terminated.
(I saw somewhat similar questions to mine, but there's seemed server specific or specific to their particular issues. Also none of their questions were answered.)
Actually a mapped drive won't work either because the account SQL runs under by default (local system if I recall) will not have network access.
So, the more reliable way to do this is definitely with a UNC path BUT there is more! (I've done this several times when I've needed to move database backups and log backups across servers for mirroring).
How?
On the SQL server machine AND the other server that will host the share, create a new user (same username and password on both machines) - assuming your not using AD. The user needs not be in any groups at all other than the users group but it must be called the same in both servers and the password must match.
On the SQL server machine change the account that SQL SERVER is running under. This is done in the SQL server configuration tool. Do not try to do this yourself via windows services. Choose the user that you created in no 1 above. Note you have to enter the pw. Restart SQL after you've changed it and verify SQL still runs fine. It should run just as before but now is running as a particular user with all the permissions of that user (which actually are very limited anyhow, but at least the user can access network resources).
On the remote server, make sure the new user has NTFS permissions on the folders that will host your share. Read/write perhaps or just read if SQL is only reading data.
On the remote server, create a share pointing to the appropriate folder that you set permissions for above. Make sure if you're using share permissions that the new user also has permissions on the share (not just on NTFS on the drive).
Once all of this is setup, your SQL scripts simply use the UNC path that points to the remote share and since SQL is running "as" a user with access to that share, SQL will see the files just fine!
I am trying to import data from an Access 2003 mdb database using OpenDataSource with the ACE OLEDB driver. I'm getting this error:
Description: OLE DB provider "Microsoft.ACE.OLEDB.12.0" for linked server "(null)" returned message "Cannot start your application. The workgroup information file is missing or opened exclusively by another user.".
I have no idea what it's talking about, and my internet searches have not helped. They all refer to linked servers, and anything I've tried has done nothing to fix the problem. What does this error mean, and what do I need to do to fix it?
The sproc which does the importing is called from an SSIS package, which goes through a table of file locations and calls the sproc for each of them. I just discovered that the package ran for about half an hour, getting about 80 files imported, before it began throwing this error. I have as yet been unable to find any difference between the files that worked and the ones that didn't.
From Understanding the role of workgroup information files in Access security:
The workgroup information file is a required component when you use a
Microsoft Access database (MDB). This file is required for both a
run-time installation and a full installation of Microsoft Access.
This file is an important component of Microsoft Access security.
If you develop database applications, it is important that you have a
good understanding of the workgroup information file. It is a good
idea to reserve the last phase of the development process for applying
security in Access. Until then, you can develop the database
application in an unsecured database.
A workgroup is a group of users who share data in a multiuser
environment. When security is implemented on a database, the user and
group accounts are recorded in the workgroup information file. User
passwords are also stored in the workgroup information file.
IMPORTANT: If you establish Access security in a database, Microsoft
recommends that you store a backup copy of the workgroup information
file in a safe location. If the file is lost or damaged, the only way
to recover the workgroup information file quickly is to restore the
file from a backup copy. If you do not have a backup copy, you must
re-create the User and Group Accounts with the same Personal IDs that
were originally assigned. If the new workgroup information file is not
created exactly as the original file, you will not be able to open the
database with the workgroup file.
Access uses the workgroup information file even when the database has
not been secured. The default Admin user account, which is stored in
the workgroup information file, is used to open all unsecured
databases. If you assign a password to the Admin user, you will
receive a logon prompt when you reopen the database.
The Access database that SQL Server is trying to access is being used by another user. Go to the folder where the database is stored. With Access 2003, the database file itself will end in 'mdb'. If there is a file with the same name but ending in 'idb', it signals that there is a user currently using the 'mdb' file. Have the user exit the database and then run your package. If you can't find the user using the file, make a copy of the file in another folder and edit your SSIS package to reflect the change.
For SQL Server 2008 Developer Edition on Vista 64 bit:
I tried copying a database using a Vista admin account using the attach/detach method and it failed due to a file permission error so I gave the user that sql services are running as write and modify to the directory. The copy didn't work. I then gave it full control. The copy worked.
Does that make sense?
If I revoke full control from the user, will that cause problems?
The weird thing is that in an existing working database with files in a different directory, there are no special permissions on the directory and files for the database, so why does a copy require full control?
When you detach a DB, the MDF/LDF files may be set with more restricted perms than you expect, like exclusive to the principal that did the detach - maybe the SQL Server service account or the domain account of the user that performed the detach. I have in the past had to manually add back permissions on the files' Properties > Security tab for other users, or else the files act as if they are locked. See also http://www.onupdatecascade.com/2009/07/sql-server-locks-mdf-and-ldf-files-upon.html
also: http://msdn.microsoft.com/en-us/library/ms189128.aspx
( thanks GrumpyOldDBA )
If the server and/or data you are working on does not require those restrictive permissions to be set, you can set a startup flag in SQL Server that will override this function. I understand what Microsoft is going for with this - they assume if you detach a DB they don't want just anyone to walk away with the file; however, I think keeping a good hacker from doing that is easier said than done, and encrypting the DB is the best method for safeguarding data.
Anyway, there is a "Trace Flag 1802" which is oddly named, since it's nothing to do with tracing. You'll want to add it to your SQL startup in SQL Configuration Manager if you want to keep this behavior.
https://support.microsoft.com/en-us/kb/922804
I myself had the same issue and found the answer in StackExchange:
https://dba.stackexchange.com/a/77683/11001