Re: xp_CmdShell and VBScript

From: Scott Elgram (SElgram_at_verifpoint.com)
Date: 03/15/04

• Next message: Jim: "Security Log Backup Script"
• Previous message: Tim McGue: "RE: xp_CmdShell and VBScript"
• In reply to: Tim McGue: "RE: xp_CmdShell and VBScript"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 15 Mar 2004 12:42:32 -0800

Tim,
    The computer the script is attempting to create a local account on is
not in the domain from which the script is being run. I was under the
impression that the line "Set oComputer = oDSO.OpenDSObject("WinNT://"
&strComputer, "Administrator", "1234", ADS_SECURE_AUTHENTICATION)" would
force the script to use the Administrator account to create a local account
on the target computer. Inside the domain the script works perfectly from
xp_CmdShell but when I attempted this for a computer outside the domain I
got the error.

-- 
-Scott Elgram
"Tim McGue" <anonymous@discussions.microsoft.com> wrote in message
news:9D0C28C1-7DE9-4E28-AF63-F5BAC762FB02@microsoft.com...
> This really looks like a permissions issue.  This is what the books online
has to say about that command:
>
> "When xp_cmdshell is invoked by a user who is a member of the sysadmin
fixed server role, xp_cmdshell will be executed under the security context
in which the SQL Server service is running. When the user is not a member of
the sysadmin group, xp_cmdshell will impersonate the SQL Server Agent proxy
account, which is specified using xp_sqlagent_proxy_account. If the proxy
account is not available, xp_cmdshell will fail. This is true only for
Microsoft® Windows NT® 4.0 and Windows 2000. On Windows 9.x, there is no
impersonation and xp_cmdshell is always executed under the security context
of the Windows 9.x user who started SQL Server."
>
> Based upon that information make sure the account that is running your SQL
Server service or your xp_sqlagent_proxy_account has permissions to create
user accounts in your active directory/domain.
>
> Tim McGue

---

• Next message: Jim: "Security Log Backup Script"
• Previous message: Tim McGue: "RE: xp_CmdShell and VBScript"
• In reply to: Tim McGue: "RE: xp_CmdShell and VBScript"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: VS2005: SQL Debugging "T-SQL execution ended without debugging. You may not have sufficient ... > account also must be a member of the sysadmin role in the target SQL ... and the Windows firewall is disabled on both client & server. ... to the remote SQL Server 2005. ... But I'm still getting the "T-SQL execution ended without debugging. ... (microsoft.public.vsnet.debugging) Re: Utter madness! ... It is just Windows security stuff. ... You can get a trusted connection back to SQL server. ... ASP.NET account (either processModel or app pool identity depending on ... (microsoft.public.dotnet.framework.aspnet.security) Re: Passthrough authenication w/ SQL trusted connection ... separate connection will be used for each security context (each user ... account will have it's own pool). ... if you are using a Windows 2000 Domain, ... backend SQL Server. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Search services not available ... Let me clarify that our SQL server uses Windows Authentication, ... account, even if it was just for now to get it working, that would be easier ... I have configured the Search service to use this ... (microsoft.public.sharepoint.windowsservices) Re: Permissions! ... This account is used because your web ... application is configured for anonymous access instead of integrated ... The details on how to use Windows ... SQL Server MVP ... (microsoft.public.sqlserver.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2004-03