以特定用户身份执行 xp_cmdshell 命令 [英] Execute xp_cmdshell command as specific user
问题描述
我想运行 xp_cmdshell(TSQL 程序)以挂载网络驱动器,然后访问远程 mdb 文件.
I would like to run xp_cmdshell (TSQL procedure) in order to mount a network drive and then access remotes mdb files.
我是 MS SQL 服务器的管理员,我已允许 xp_cmdshell 相应地执行.
I am administrator on the MS SQL server and I have allowed xp_cmdshell execution accordingly.
但是,还有一个问题:
当我调用xp_cmdshell时,执行命令的用户是SQLSysAdmin,即运行SQL Server进程的帐户.
When I call xp_cmdshell, the user executing the command is the SQL SysAdmin, i.e. the account who run SQL Server process.
我希望 xp_cmdshell 作为我连接到 SQL 服务器的帐户执行,即管理员
I wish xp_cmdshell executes as the account with which I'm connected to SQL server, i.e Administrator
这两个帐户都在管理员组 SQLAdmin 组中,并被授予 CONTROL SERVER.两个用户属于同一个域.所有这些都在同一台机器上运行.
Both of theses account are in administrator group, SQLAdmin group, and are granted to CONTROL SERVER. Both users belong to the same domain. All of this is run on the same machine.
由于这个冲突,我无法使用网络驱动器,因为它是为 SysAdmin 而不是为 Administrator
挂载的我尝试使用 sp_ xp_ cmdshell_ proxy_ account 来指定我想用来运行 xp_cmdshell 的帐户,但 SysAdmin 仍然是使用的帐户.
Because of this conflict, I cannot use a network drive because it is mounted for SysAdmin and not for Administrator
I tried to use sp_ xp_ cmdshell_ proxy_ account to specify the account with which I want to run xp_cmdshell, but SysAdmin is still the used account.
因此,此代码:选择user_name(), suser_name;exec xp_cmdshell 'echo %username%';
显示:管理员 管理员系统管理员
有人知道如何很好地模拟 xp_cmdshell 命令吗?有什么需要(重新)配置的吗?
Does anybody knows how to impersonate well the xp_cmdshell command ? Is there something to (re)configure?
感谢您的帮助.
推荐答案
因为您以 sysadmin 组中的登录名连接到 SQL,所以 xp_cmdshell 作为服务帐户运行.
Because you're connecting to SQL as a login in the sysadmin group, xp_cmdshell runs as the service account.
如果您以低权限登录身份连接,那么它将使用 xp_cmdshell_proxy_account 代替.因此,请先尝试执行 EXECUTE AS LOGIN='lowprivaccount',看看是否有帮助.
If you connect as a low-privilege login, then it will use the xp_cmdshell_proxy_account instead. So try doing EXECUTE AS LOGIN='lowprivaccount' first, to see if that helps.
当然,您实际询问的不是预期用途.预期用途是高权限帐户可以允许 xp_cmdshell 使用服务帐户,而其他人必须忍受较低权限的代理帐户.
Of course, what you're actually asking is not the expected use. Expected use is that the high-privilege accounts can allow xp_cmdshell to use the Service Account, whereas everyone else has to put up with the lower privilege proxy account.
这篇关于以特定用户身份执行 xp_cmdshell 命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
