BUG: Non-SA CmdExec Task Run on Domain Controller Causes Error

 Last reviewed: July 16, 1997
Article ID: Q159792
The information in this article applies to:
  • Microsoft SQL Server, version 6.5
BUG #: 17065 (6.5)

SYMPTOMS

If a non-system administrator (SA) login creates and runs a CmdExec task on a domain controller, the following error will occur in both the task history and the Application log of Windows NT's Event Viewer: 

   A problem occurred while attempting to logon as the Windows NT user
   'SQLExecutiveCmdExec': Logon failure: unknown user name or bad password.

WORKAROUND

To work around this problem, do one of the following:

  • Rename the machine name of the domain controller to match the domain name. Note that this solution will only work for one SQL Server on a domain.
  • Reinstall Windows NT Server as a server in the domain, instead of as a domain controller.
  • Run a Transact-SQL task that runs xp_cmdshell after installing the fix described in the STATUS section of the following article in the Microsoft Knowledge Base: 

          ARTICLE-ID: Q159221

          TITLE     : BUG: Xp_cmdshell Run by Non-SA Causes Error 1326


STATUS

 


Microsoft has confirmed this to be a problem in Microsoft SQL Server
version 6.5. We are researching this problem and will post new information
here in the Microsoft Knowledge Base as it becomes available.



MORE INFORMATION

 


Microsoft SQL Server version 6.5 is not recommended for installation on a
primary domain controller (PDC) or a backup domain controller (BDC),
because these computers perform the resource-intensive tasks of maintaining
and replicating the domain's security accounts database and performing
network login authentications.


If you enable security auditing for logon or logoff failures, you will see
event 529, indicating a logon failure, for the SQLExecutiveCmdExec account,
as in the following example:



   Logon Failure:
   Reason: Unknown user name or bad password
   User Name: SQLExecutiveCmdExec
   Domain: NTServerName
   Logon Type: 4
   Logon Process: Advapi
   Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
   Workstation Name: NTServerName


Additionally, a similar error occurs when xp_cmdshell is run by non-system
administrator (SA) logins. For more information please see the following
article in the Microsoft Knowledge Base:



   ARTICLE-ID: Q159221
   TITLE     : BUG: Xp_cmdshell Run by Non-SA Causes Error 1326



	
			
	















	






Additional query words: 1326 privilege tsql t-sql trans-sql

Keywords            : kbbug6.50 kbother SSrvAdmin SSrvEntMan kbbug6.50.00

Version             : 6.5

Platform            : WINDOWS

Issue type          : kbbug

Resolution Type     : kbworkaround








THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.






	
	Last reviewed:  July 16, 1997
	

	© 1998 Microsoft Corporation. All rights reserved. Terms of Use.