asked
Running xp_cmdshell as Administrator
Does anyone know if it is possible to invoke xp_cmdshell as Administrator? I am working on trying to start the SQLSERVERAGENT service from TSQL but it fails with 'access denied' - from TSQL and from cmd. The only way I can get it to succeed is to run cmd as Administrator and then `SC START SQLSERVERAGENT` works. I dont want to alter UAC to get around this problem.
Not near a SQL instance to test, but I'm thinking you'd use sp_xp_cmdshell_proxy_account to set-up a proxy account with admin permissions, however this only comes into force when you try and run xp_cmdshell as a non-sysadmin, so you'd then have to execute as a lower permission login, which in turn would use the proxy. The danger here is that all non-sysadmin logins would have the same access whilst this was in place, so you'd have to tidy up once the command was run. Seems messy :/
Running the xp_cmdshell as a SQL Server Admin is not my issue, the actual `SC START SQLSERVERAGENT` command has to run in a cmd.exe as Windows Administrator. RUNAS doesn't accept a password in a pipeline or as a parameter.
Seems UAC is going to be the sticking point and if it isn't taking the RUNAS command I don't see how it will work otherwise. Is CMD.EXE a must, can you not invoke PoSH to start the service?
Wont PoSh have the same restrictions on security? ie if the service account for MSSQLSERVER isnt an administrator then the PoSh would fail to. No?
Forgot to add, willing to try PoSh/WMI/Incantations/Sacrifices to get this working ...
Use an agent job to run the PoSh step as another user HAHAHA! Sorry not helping!
15 People are following this question.
