Trying to run xp_cmdshell as a non-sysadmin user

I need to be able to run xp_cmdshell from a sp in my database.  This runs fine for me, as I'm a sysadmin user, but when the actual user, who is not, tries to run it, it fails.

So I created a sql server login call xp_cmdshell_user which has sysadmin rights and I'm trying to switch the login to that user as my first step in my sp using the following:

EXECUTE AS LOGIN = 'xp_cmdshell_user'

When I run the sp as myself, again no problem.

When I run it as a non-sysadmin user I get the following error:

Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

I understand I need to set some sort of impersonation but I can't seem to get this to work with a windows login.  The current login trying to run the sp is MyDomain\TestUser.

I tried the following command:

GRANT IMPERSONATE ON USER:: 'MyDomain\TestUser' TO 'xp_cmdshell_user'

I get:
Msg 102, Level 15, State 1, Line 4
Incorrect syntax near 'MyDomain\TestUser'.

Fraser_AdminAsked:
Who is Participating?
 
chapmandewCommented:
try this:

GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO 'xp_cmdshell_user'
0
 
James MurrellProduct SpecialistCommented:
have you given permission to the sp

GRANT  EXECUTE  ON [dbo].[SPNAME]  TO [USERNAME]
GO
0
 
chapmandewCommented:
Also, take a look at this link...there is a sproc for doing this for non-sysadmin users:

http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx


EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT

 
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Fraser_AdminAuthor Commented:
GRANT IMPERSONATE ON USER:: [MyDomain\TestUser] TO xp_cmdshell_user
execute as login = 'MyDomain\testuser'
use myDatabase
exec process_Lab_Load
revert

I get error:
Msg 15406, Level 16, State 1, Procedure process_Lab_Load, Line 21
Cannot execute as the server principal because the principal "xp_cmdshell_user" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Yes the MyDomain\TestUser has permissions to execute the sp.  xp_cmdshell_user is sysadmin and dbo on the database so it as well has permission.
0
 
chapmandewCommented:
see my comment after that one...I think it is the way to go.
0
 
Fraser_AdminAuthor Commented:
OK I was calling my sp from SSMS and doing the impersonate before the actual call, so now i moved the impersonate into the sp and i get this error:

Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
0
 
chapmandewCommented:
you may not need to do the impersonation...did you use the sp_xp_cmdshell_proxy_account procedure?
0
 
Fraser_AdminAuthor Commented:
shouldn't need that for a sysadmin user.  i moved the impersonate to the sp and now it seems to work fine.  i forgot to take it out before my call and that was why i was getting that error.

now i get this one:

Ad hoc access to OLE DB provider 'MICROSOFT.JET.OLEDB.4.0' has been denied. You must access this provider through a linked server.

when i run this as me no problem, but as soon as i try to run as test user i get this message.
0
 
chapmandewCommented:
thats a whole different question all together...must be something else you're doing in your proc.
0
 
James MurrellProduct SpecialistCommented:
did you give permission on the proc?
0
 
Fraser_AdminAuthor Commented:
hang on i'll open a new question, as you said it is something different.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.