On Windows server 2016 I made an incautious action. Using my account which belong to a builtin Administrator group I set security descriptor for SCManager:
sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;CCLCRPRC;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
After reading documentation I have figured out that default permission value for builtin administrators is (A;;KA;;;BA). That means who are in group Administrators can set security descriptor.
With (A;;CCLCRPRC;;;BA) I was restricted to set security descriptors for SCManager.
How can I return back the rights?
To solve the issue delete the registry branch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security
then reboot the server.
Related
I wanna log every action operated on the database so I have followed the instructions here to configure my.ini and enabled the audit logging of MySQL Server 5.7
Audit logging function normally but it will be changed to unknown ownership after a random time.
It showed "You do not have permission to open this file. See the owner of the file or an administrator to obtain permission." as below. (I am using the admin account of this PC)
Also, it said "You do not have permission to view or edit the object's permission settings" in the file properties as below.
Before this issue occurred I have tried to
change the UAC setting of my PC to the Lowest options. UAC setting
update the [file properties > security > advanced]'s Owner and permission entries to my admin account file properties
But no luck.
however, when I restarted the MySQL service, it recovered the file permission but all the log records were deleted.
Here is my.ini config:
# Audit Logging settings
server_audit_logging="ON"
server_audit_incl_users=admin,root
server_audit_events="QUERY,TABLE"
server_audit_file_path="D:\BDC\logs"
server_audit_file_rotate_now=ON
server_audit_query_log_limit =5120
server_audit_file_rotate_size=1000000000
server_audit_file_rotations=5
Perhaps this issue is occurred by The MySQL services is log on as Network Service?
Is there any configuration that I can set to fix the permission of output audit logging file to the local admin account?
Please help.
Everything works when I keep the server_audit_file_path as a default value.
We are creating SSIS packages for our data feeds. Our connection manager has our individual usernames and passwords. Is there a way we can create environmental variables?
Also when we deploy our packages to dev or test or prod environments, do we need service accounts?
Yes, you can protect credentials.
Create Parameter variable and then select sensitive. This will block out the credential with astericks '*'
Set both the project and package Protection Level as either EncryptSensitiveWithPassord, or EncryptSensitiveWithUserKey. Note: failure to set both will result in a compiler failure that says the consistency check of the Protection Level failed - this is required.
Deploy the package to the server. Note: if the package is encrypted then anyone else who tries to open the package will be unable to do so. This is an important point for deployment purposes. It's not a big deal if you are handing off the *.ispac file, but if your company deploys via the DBA opening the solution and deploying from there then they will be unable to do so. I think you can do this if you EncryptWithPassword and then share the password, but EncryptWithUserKey will not work.
Set the Environment variable value on the server and then mark it as sensitive as well.
I don't recommend storing user credentials in protected parameters, but SSIS has been designed with this in mind if necessary. I much prefer doing everything through Windows Authentication and I highly recommend you to do the same if that is available to you.
Regarding service accounts. Yes, you can use those. In fact, it is highly recommended that all production deployments use service accounts where the concept of least privilege is implemented. So, the service account should only be granted the bare minimum level of privileges necessary. Said differently: DO NOT GRANT THE SERVICE ACCOUNT ADMINISTRATOR PRIVILEGES. This means specifying each individual privilege on each object. For example, SELECT only on dimension tables and SELECT/INSERT/UPDATE/DELETE on fact tables.
The best way for determining what privileges to grant is to go through the package and identify all tables that are touched as well as the command that is used when touching them. So, you will need to look at the following: Execute SQL task, OLE DB Source, OLE DB Destination, OLE DB Command, Lookup, etc.
I have psftp.exe installed on my server, and am using it to obtain files via sftp to be ingested into my sql server. I am using psftp.exe from the putty site to obtain it:
GET ZIP FILES:Error: In Executing "C:\Program Files\PuTTY\psftp.exe"
"XXXXXX#sftp1.XXXX.com -pw XXXXX -be -batch -b "D:\Code\XXXXX\XXXXXX.bat"" at
"D:\Data\ZIPFOLDER", The process exit code was "1" while the expected was "0".
The this works while in SSDT with no problems...however, when called by SQLSERVERAGENT on SQL SERVER, it fails.
to attempt to repair the issue, I have given NT SERVER\SQLSERVERAGENT full permissions on C:\Program Files\Putty\ and my Data drive D: where all of my code and data storage rests.
My problem is that while I think exit code 1 means a SFTP error (is it?) how do I troubleshoot?
Thanks.
UPDATE #1
as per instructions given by sandeep rawat, I added a windows user with administrative privileges and full control over the code and data sections of the server.
In addition, I created credentials associated with this use, and assigned a proxy user to those credentials.
Lastly, I reset the runas section in SQL SERVER AGENT's primary job to that proxy user.
Plus the setting in Internet Options.
I am still getting the same response.
THanks.
This type of issue generally happens when sql AGENT try to launch the DOS window which is the reason for the package to hang. and fails.
1 Change Window style property to hidden in process tab
2 Give the cmdExec permission to your SQL Agent account.
https://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/
3 Add the local drive to your trusted Intranet Sites by opening Internet Explorer and go to Internet Options > Security > Click Local Intranet > Sites and add your drive location as shown below
Problem Description:
I am going to install MySQL server 5.7.11 (win32) into Windows server 2012. There are several network interface cards being installed in the server, and I am going to install several MySQL instances that bind to specific IP addresses. In short, I am going to install multiple MySQL instances that bind to different IP addresses in same machine.
I am managed to install the first MySQL instance and able to start the service successfully. But when using MySQL Workbench 6.3.6 CE (win32) to connect to the instance, I am getting the following error messages.
RuntimeError: Could not initialize WMI interface:
Workbench.wmiOpenSession(): Could not connect to target machine.
Installer:
mysql-5.7.11-win32.zip (no install)
mysql-workbench-community-6.3.6-win32-noinstall.zip
my.ini configuration:
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html
# *** DO NOT EDIT THIS FILE. It's a template which will be copied to the
# *** default location during install, and will be replaced if you
# *** upgrade to a newer version of MySQL.
[mysqld]
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
innodb_buffer_pool_size = 128M
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
# These are commonly set, remove the # and set as required.
basedir=D:/apps/mysql-5.7.11
datadir=D:/apps/nrcc/data
port=3306
bind-address=10.82.95.2
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
MySQL Workbench configuration:
Please see the image below for the configurations. When Workbench is opened and click on the Server Status or Options File, it will prompt to enter a username and password. But then followed by the error messages.
Workbench configurations and error messages
I thought it was because my user do not have WMI permission, so I followed this link Creating a user with Windows Management Instrumentation (WMI) permissions to configure the user, but it still not working. Note that the user is in the local administrators group.
Any help would be much appreciated, thanks!
I managed to remotely connect to my MySQL server from MySQL Workbench running on another server (my application server), although the problem still exist if I do it on the same server.
I have tested that by granting WMI permission to the user in MySQL server, the connection works as intended. The following list shows what I have done:
In MySQL server, add on following groups to the user.
Distributed COM Users
Performance Log Users
Remote Desktop Users
Configure the WMI namespace security assignments
a. Go to Windows Start > Run....
b. Enter wmimgmt.msc and click OK.
c. Right-click WMI Control (Local) and select Properties.
d. Click the Security tab.
e. Click Security.
f. Click Add.
g. Click Advanced.
h. Click Find Now.
i. Select the new user account, and click OK until you return to the Security for Root window.
j. Click Advanced and select the newly added user account.
k. Click Edit.
l. From the Apply to: menu selection, select This namespace and subnamespaces.
m. In Execute Methods, verify that Enable Account, Remote Enable, and Read Security are selected.
n. Click OK until you return to the wmimgmt window.
o. Select File > Exit to exit the wmimgmt window.
I ran into this same problem and it seems Workbench has a small bug. For local WMI management the only way I could get it to work was with 127.0.0.1 But not if I used a DNS/NetBios name or local network address.
I checked with powershell Get-WmiObject and it will return information with any ComputerName locally i.e. 127.0.0.1,192.168.1.126,mycomputername,mycomputername.domain.com.... So I am guessing it has to do with the WorkBench query to wmi not being correct in some manner?
PS:
Get-WmiObject -Query "select * from win32_service where name='MySql8'" -ComputerName 127.0.0.1,192.168.1.126,....(etc)( to check that wmi is working locally )
So in this scenario I just used the loop-back locally to manage the instance with native windows wmi.
Hopefully this saves someone the 2+ hours I just wasted on this exact problem !
This WMI error has nothing to do with MySQL. MySQL Workbench uses Windows Management Instrumentation (WMI) to manage servers locally or remotely in a Windows based environment. WMI is available on all Windows versions and enabled on all customer Windows, but might require extra configuration on server OSes.
So, your best bet is to search how to enable + configure WMI on Windows 2012.
I am working on an application which bulk-loads data into a SQL Server 2008 database. It writes a CSV file to a network share then calls a stored procedure which contains a BULK INSERT command.
I'm migrating the application to what amounts to a completely new network. In this new world bulk insertion fails with this error:
Msg 4861, Level 16, State 1, Line 1
Cannot bulk load because the file "\\myserver\share\subfolder\filename" could not be opened. Operating system error code 5(failed to retrieve text for this error. Reason: 15105).
I connect to the database using Windows Authentication, using the same account which wrote the file. The file, and the folder in which it resides, grant read and modify rights both to my user account and the database server's domain service account. That service account apparently has constrained delegation permitted, which is mentioned on MSDN. Still no good. If I connect using a SQL Server account then bulk insertion succeeds, but we are trying to stick exclusively to Windows Authentication.
Does anybody have a handle on what needs to be done to make this work? How exactly does SQL Server go about accessing data on network shares, hopping between its service account and that of the connected user? I know that I can bulk insert in a similar situation in our current infrastructure, but it is so crufty with age that it would be hard to track down what has been done to enable this in the past.
Recently we had this issue for a number of our Devs. I've come up with a number of ways to allow testing of bulk inserts.
Our preference was to use a SQL service account. We set the SQL server and SQL agent to run as a service account and then allowed the devs to trigger agent jobs. The service account was granted permission to the UNC shares and this all functioned correctly. Note that the service account will always been fine running these agent jobs (assuming UNC permissions are set). It's the Devs trying to test that will come across these issues.
Another method is to create a share on the SQL server itself and point the bulk insert path at the local directory. These errors seem to only occur when accessing UNC paths. Regardless of whether the UNC path has the correct permissions to allow you access. For example we create C:\test\ as a folder on the SQL server itself and permission it to allow a dev to drop test files there. These are then called via the bulk insert command.
A command may need to be run against master to allow a SQL login group permission to bulk insert. This is as below.
GRANT ADMINISTER BULK OPERATIONS TO "domain\usergroup"
Adam Saxton's blog (about Kerberos and bulk inserts from a share) should be read: http://blogs.msdn.com/b/psssql/archive/2012/09/07/bulk-insert-and-kerberos.aspx. Adam offers two approaches:
Enable constrained delegation for the machine (as opposed to the sqlservr.exe startup) account, or use a SQL Server login. Adam mentions two other approaches (which he does not recommend).
An aside, the latter half of the OP's message "(failed to retrieve text for this error. Reason: 15105)" may be related to a SQL Server startup account lacking rights documented within SQL Server's "Configure Windows Service Accounts and Permissions" topic, such as SeAssignPrimaryTokenPrivilege.
Did you ever resolve this issue? I recently had a similar problem and discovered that the best way to resolve it was to use a SQL login.
Initially, having read the notes here I thought if I just granted read permissions to the Windows account with which I was connecting to the SQL Server that would be okay, but even when I granted read access to Everyone, I still couldn't read in the file.
I believe the reason is something to do with SQL Server impersonating the windows user and attempting to access the UNC share, which is delegation and which is not allowed unless explicitly enabled. There are some notes here which may help. This is the constrained delegation of which you speak and I couldn't get it to work either!
Bottom Line: I just used a SQL Login and made sure the SQL Server Process account had read permissions on the share (by granting read to Everyone in my case) and it worked.
In order to bulk insert with AD users, the SQL service it self has to be running as a domain user and has to have the AD permission to be able to delegate authentication. Same if you wanted to run linked servers with ad users. Here is the link for AD and linked servers, but the permission are the same.
Linked Servers and Active Directory
The server must have an SPN registered by the domain administrator.
The account under which SQL Server is running must be trusted for delegation.
The server must be using TCP/IP or named pipes network connectivity.