Post reply

xp_logininfo suddenly not enummerating groups

  • August 30, 2017 at 7:08 am

    #345898

    Hello.
    xp_logininfo is suddenly not listing members of groups that it previously had no issue with.
    The members of the group  can access  SQL Server with no issue.
    If we run
    When we run xp_logininfo 'DOMAIN\Group','members'
    We get
    Msg 15404, Level 16, State 4, Procedure xp_logininfo, Line 43
    Could not obtain information about Windows NT group/user 'DOMAIN\Group', error code 0x5.

    This occurs regardless of whether xp_logininfo is called from a job (with SA as the owner) or is run by a sysadmin
    Both the server service and agent service accounts are domain accounts.

    This seemed to start after a security policy was applied to the AD servers.
    The policy was rolled back but xp_logininfo still fails
    We've had the domain admins grant the service accounts "Read MemberOF" on the AD object.
    We've also had the domain admins compare with a Domain that is working but cannot see the difference

    What confuses me is why, for authentication, SQL has no issue with identifying members of the group group but when you issue the XP_ command it cannot list the members
    Has anyone any suggestions.?

  • September 2, 2017 at 11:34 am

    #1957928

    You are getting an Access Denied error for Active Directory so something is missing with the permissions. Have the domain admins added the service account to the Windows Authorization Access group?
    There is a bit more information on that in this Microsoft article:
    Some applications and APIs require access to authorization information on account objects

    Sue

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply