FIX: Xp_cmdshell Run by Non-SA Causes Error 1326ID: Q159221
|
If a non-system administrator (SA) login runs the extended stored procedure
xp_cmdshell on a domain controller when the option "xp_cmdshell - Use
SQLExecutiveCmdExec Account for Non SAs" is enabled in SQL Enterprise
Manager or SQL Server Setup under Set Server Options, the following error
will occur:
xpsql.c: Error 1326 from LogonUser on line 359
To work around this problem, do one of the following:
Microsoft has confirmed this to be a problem in SQL Server
version 6.5. This problem has been corrected in U.S. Service Pack 5a
for Microsoft SQL Server version 6.5. For information about
downloading and installing the latest SQL Server Service Pack, see
http://support.microsoft.com/support/sql/.
For more information, contact your primary support provider.
Microsoft SQL Server 6.5 is not recommended for installation on a primary
domain controller (PDC) or a backup domain controller (BDC), because those
computers perform the resource-intensive tasks of maintaining and
replicating the domain's security accounts database and performing network
logon authentications.
If you enable security auditing for logon and logoff failures, you will see
event 529, indicating a logon failure, for the SQLExecutiveCmdExec account,
as in the following example:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SQLExecutiveCmdExec
Domain: NTServerName
Logon Type: 4
Logon Process: Advapi
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: NTServerName
Q159792 : FIX: Non-SA CmdExec Task Run on Domain Controller Causes Error
Additional query words: CmdExec Task SQLExecutive privilege
Keywords : kbusage SSrvAdmin SSrvGen kbbug6.50 kbfix6.50.SP5
Version : winnt:6.5
Platform : winnt
Issue type : kbbug Last Reviewed: April 21, 1999