Microsoft KB Archive/253107

From BetaArchive Wiki
Knowledge Base

BUG: SQL Server Properties, Security Tab Missing the "Nonadministrators use SQLAgentCmdExec account when executing commands via xp_cmdshell" Option

Article ID: 253107

Article Last Modified on 10/16/2002


  • Microsoft SQL Server 7.0 Standard Edition

This article was previously published under Q253107

BUG #: 57357 (SQLBUG_70)


The SQL Server properties, Security tab is missing the "Nonadministrators use SQLAgentCmdExec account when executing commands via xp_cmdshell" option. The Help tab states that this option should be available, but it is not. If you want Nonadministrators to use the xp_cmdshell option, refer to the "Workaround" section.


Check the SQL Server 7.0 Books Online (BOL) topic, "Creating SQL Server Services User Accounts". BOL states that in order to run xp_cmdshell for a user other than a SQL Server administrator, the MSSQLServer service account should have "Act as part of operating system" and "replace process level token" permissions.

Following is an example of setting up nonadministrators to use xp_cmdshell:

  1. Give login database access to the master database.
  2. Give login permission to access xp_cmdshell:
    1. Highlight the extended stored procedure and locate xp_cmdshell.
    2. Double-click xp_cmdshell.
    3. Select Permissions and grant permission to login.
  3. Make sure that the MSSQLServer account is running with the following user rights permissions:
    • Act as part of the operating system.
    • Increase quotas.
    • Replace a process level token.

  4. Make sure that the SQLServerAgent account is running with the user rights permission:
    • Log on as a batch job.

NOTE: You must stop and start the server for the user rights permissions to take effect.


Microsoft has confirmed this to be a problem in SQL Server 7.0.

Keywords: kbbug kbpending KB253107