Minimum Permissions to run Command Windows
I am setting up a SQL Server Job that is running an SSIS package. This packag calls cmd.exe /c .... to do a unc mapping and pull some data. My job works if the account is an administrator of the server. However I want to do minimum security.
It fails as a standard user as it is unable to open the command window to issue the unc map. So my question is what are the minimum permissions to open a command window for a SQL job/scheduled task/etc.
February 28th, 2011 2:24pm
does that standard user have ntfs rights to access the cmd.exe in %windir%\system32 ?
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 4:24pm
in gerneral the user account used in the schedule task needs.
the logon as batch right
Permissions to the cmd.exe
permissions to any other file/folders/executables called by your task on the local server
permissions to the share and files/folders/exectable called by your task on the share
February 28th, 2011 5:05pm
I thought so to. But it might be an interactive log on issue since the account is not really logged onto the server. I took a look at this link
http://support.microsoft.com/kb/867466 which helped but now I received other errors. So still not sure what permissions are needed as it works when Admin.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 5:11pm
I sucessfully tested running a schedule task using only local User Permissions, on Windows XP. Logon as batch permission was not needed, it all came down to permissions on the individual files and folders, and the CMD.exe. If the user had access
it worked if the user did not have access it failed. As simple as that.
Scheduled Task command line: C:\Test\test.bat > out.txt
Scheduled Task working dir: c:\test
Test.bat
@echo off
Echo %date% %time%
echo hello
echo more
echo.
Type c:\boot.ini
copy C:\boot.ini c:\test
copy C:\test.txt c:\test
Checked out.txt after every run.
Boot.ini is not accessible by normal users...so it failes. Test.txt will copy once your test user has access to the file, and the target folder.
I enabled auditing of the NTFS files and folders to verify what access was being requested so i could grant it appropriately.
If you are doing more advance stuff with your script you may need more permissions, use auditing to troubleshoot permissions to determine what is denied so you know what to grant.
February 28th, 2011 10:26pm