PRB: Error 1314 Raised By xp_cmdshell When Executed as Non-SA User (248391)



The information in this article applies to:

  • Microsoft SQL Server 6.5
  • Microsoft SQL Server 7.0

This article was previously published under Q248391

SYMPTOMS

You receive the following error when executing an operating system job through xp_cmdshell when logged into SQL Server as a non-sa account:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1314 from LogonUser on line 476
Alternately, you may receive the following:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1314 from CreateProcessAsUser on line 492

CAUSE

These errors are raised due to your errant rights set on the SQLAgentCmdExec Windows NT account that MSSQLServer is running on.

WORKAROUND

Make sure that the Windows NT account that the MSSQLServer service is running on is a domain account that is a member of the local administrators group on the server.

Make sure that the account that the MSSQLServer service is running on, as well as SQLServerAgent, have the following user rights permissions:
  • Act as part of the operating system.
  • Increase quotas.
  • replace process level token.
  • Log on as a batch job.
Also, make sure that the local SQLAgentCmdExec account has "Log on as a batch job" permissions.

NOTE: You must restart the entire server, not just the SQL Services, in order for any changes made to user rights permissions to take effect.

MORE INFORMATION

Xpsql.c is included in the sample code that ships with the product. The error on line 476 gets raised if the call to the Win32 API function: LogonUser() fails. The error on 492 gets raised if the call to CreateProcessAsUser() fails.

Error 1314 is ERROR_PRIVILEGE_NOT_HELD. This indicates that the account invoking these functions does not have sufficient user rights to complete the login. This leads many customers to reset the account privileges on the SQLAgentCmdExec account or recreate it through User Manager, or SQL Enterprise Manager.

However, what is raising these errors is the process which is invoking the API calls (Sqlservr.exe). Therefore, it is the account that the MSSQLServer service is running on that holds the incorrect and insufficient privileges. In order to successfully execute LogonUser(), the MSSQLServer account needs to have the SE_TCB_NAME (Act as part of the operating system) right enabled. In order to successfully execute CreateProcessAsUser(), the MSSQLServer account needs to have the SE_INCREASE_QUOTA_NAME (Increase quotas) rights enabled.

NOTE: For certain types of processes, CreateProcessAsUser() may also require SE_ASSIGNPRIMARYTOKEN_NAME (Replace a process level token) to be turned on.

Modification Type:MajorLast Reviewed:10/17/2003
Keywords:kbBug kbprb KB248391