When using the Proxy Account both CmdExec and xp_cmdshell call the Win32 API
LogonUser
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp
As dwLogonType it uses LOGON32_LOGON_BATCH
As dwLogonProvider is uses LOGON32_PROVIDER_DEFAULT
After which they call the Win32 API CreateProcessAsUser
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp
However CreateProcessAsUser does not load the specified user's profile into
the HKEY_USERS registry key. Therefore, to access the information in the
HKEY_CURRENT_USER registry key and if the lpEnvironment parameter is NULL,
the new process inherits the environment of the calling process.
CreateProcessAsUser does not automatically modify the environment block to
include environment variables specific to the user represented by hToken.
For example, the USERNAME and USERDOMAIN variables are inherited from the
calling process if lpEnvironment is NULL. It is your responsibility to
prepare the environment block for the new process and specify it in
lpEnvironment.
So what you get is the enviroment of the service account.
GertD@SQLDev.Net
Please reply only to the newsgroups.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Copyright © SQLDev.Net 1991-2005 All rights reserved.
[quoted text, click to view] "Hans de Bruin" <invalid@invalid> wrote in message
news:1120486047.358052@aquila.amc.uva.nl...
> Hans de Bruin wrote:
>> Unfortunately several of my sql users need tot run cmdexe jobs
>> (dts-packages). To keep them from totally destroying my server I
>> configured a proxy account with not to much rights on the files system.
>> For each virtual server I created a separate temp dir for the proxy user.
>>
>> when a cmdexec job is run the %temp% %tmp% point to the tempdir which
>> belong to the cluster service account. Now I noticed a Environment
>> REG_MULTI_SZ key for the sql and sqlagent services (\hkey local
>> machine\...\/services\mssql$instance). This key contains a full set of
>> environment vars, but is not wel documented (no hits on google).
>>
>> Is this, a standard reg key for services, or something special for sql
>> and sqlagent or something special for a clustered sql and sqlagent
>> service? I want to temper with the %temp% and %tmp%.
>>
>
> This is something special for clustering. Just before the sqlserver or
> sqlserver agent service starts ResrcMon writes the envrionment to this
> key. Any manual made changes are overwriten.
>
> When DTSRun can't write to the \documents and
> setting\clusterserviceaccount\local\temp it tries to write in
> c:\winows\temp.
>
> --
> Hans
