xp_cmdshell after a password change

  • I have a windows login that is part of sysadmin, that is trying to run a stored procedure that includes xp_cmdshell. It ran fine until the user had to update their password. Now we get the following error:

    An error occurred during the execution of xp_cmdshell. A call to 'LogonUserW' failed with error code: '1326'.

    My understanding is this is because of the password change. My question is what's the best way to fix this. We change our passwords every 90 days, so we don't necessarily want to have to make manual changes each time.

    I'm not overly familiar with xp_cmdshell, so perhaps there is an easy way to do this.

    All help is appreciated!

    Thanks!

  • Quick thought, use EXECUTE AS

    😎

  • Its using Execute As "domain\user" currently, and that user is a sys admin

  • bmahony993 (2/10/2015)


    Its using Execute As "domain\user" currently, and that user is a sys admin

    Is "domain\user" password expired?

    😎

  • Yes. The password expired, and the user updated with a new one via Windows. Now we can't run xp_cmdShell and get the error above.

  • I ran into this myself--same error message and similar circumstances. Here was what worked for us.

    Issue: Users were reporting failed job runs in a legacy app that allows users to fire ad-hoc reporting jobs (Although, it's notable that it doesn't actually use Jobs, but manually fired SPs with no failure notifications for reasons I'm unsure of, scared to find out, and will probably have to fix in the future).

    This was in the days following resetting the AD password and then updating the SQL Server and SQL Agent password on all affected servers. Google kept sending me here, so I wanted to share my solution.

    On just two of our servers, a proxy account is set up for xp_cmdshell in the Credentials on SQL Server called ##xp_cmdshell_proxy_account##.

    As such, the old credentials were still living there and being sent in the call to LogonUserW to start a new local session and failing.

    Using sp_xp_cmdshell_proxy_account 'DOMAIN\Account', 'NEWPASSWORD' I was able to get things working as expected again.

    • This reply was modified 22 hours, 23 minutes ago by  schwegler.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply