How to run a SQL Agent job step as another account?

Published On: 2020-04-20By:

Microsoft SQL Server Agent includes a really cool, often unused feature. That is the ability to run SQL Server Agent job steps as another user besides the user account that the SQL Agent runs under. This is done through the authentication mechanism in Microsoft SQL Server called credentials.

Credentials are similar to but different from Logins in SQL Server. Credentials store the username and password just like logins do. But in this case, the credentials are storing a username and password for an outside system, in this typically an Active Directory username and password. The other big difference is that when a password is stored for a login, only the hash is stored. With a credential however SQL Server needs a way to get the password that is being stored, so the password is encrypted instead of being hashed.

The reason that SQL Server needs to be able to retrieve the password, is that when a credential is used, the password isn’t supplied, only the name of the credential is. The SQL Server retrieves the username and password for the credential specified, then uses the username and password.

Credentials are created through management studio under the security section of object explorer, or by using the CREATE CREDENTIAL command in T-SQL. Once the credential is created, users can be given the right to use the credential. This will allow users that don’t have sysadmin rights to the database instance to use the credential. If everyone that sets up SQL Agent Jobs had sysadmin rights, then permissions on credentials don’t need to be adjusted as members of the sysadmin fixed server role can use any credential. You will need to edit the credential and specify while type of job step can be used the credential.

When you create a SQL Server Agent Job of any type other than T-SQL you’ll have an extra drop-down box that will allow you to select the credential that you want to use. Select the credential from the drop-down, and the next time the job runs, the job step will be run as the account specified in the credential.

If using a T-SQL job step, there is no credential option when creating the job step. This is because T-SQL job steps can’t use credentials. Instead for job steps of this type use the EXECUTE AS syntax that is already available to you within the T-SQL Syntax.

Denny

Contact the Author | Contact DCAC

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner   Denny Cherry & Associates Consulting LLC BBB Business Review    Microsoft MVP    Microsoft Certified Master VMWare vExpert
INC 5000 Award for 2020    American Business Awards People's Choice    American Business Awards Gold Award    American Business Awards Silver Award    FT Americas’ Fastest Growing Companies 2020   
Best Full-Service Cloud Technology Consulting Company       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers
Share via
Copy link