Question: I have enabled SQL Server xp_cmdshell to initiate a copy command. The xp_cmdshell copy command will copy a file on the local server and copy to a network destination.
The xp_cmdshell command is initialted as a code block and managed through SQL Server agent.
I am executing the code and it is returning a Access is denied error . 0 file(s) copied.
I’ve run a few tests,
- Logged on as the owner of the SQL Server agent job and executed the job
- Extracted the copy command sequence and run it from the command line . In this test the copy worked OK
Soon as I reintroduce the code into the SQL Server context – I start getting the Access is denied error.
How can I fix the issue?
Answer: When executing xp_cmdshell and interacting with the filesystem , the security context used is the SQL Server Start Up account .
You’ll need to check the SQL Server service account has permissions on the source file and the destination path. To find the SQL Service Account read How to find the SQL Server Service Account (SQL Server DBA)
Even through you are executing the SQL Server Agent job – and you may logically think xp_cmdshell is utilising the SQL Server Agent job security – the xp_cmdshell , continues to interact with the SQL Server service account.