PRB: Error 1314 Raised By xp_cmdshell When Executed as Non-SA User

ID: Q248391

The information in this article applies to:
  • Microsoft SQL Server versions 6.5, 7.0

SYMPTOMS

You receive the following error when executing an operating system job through xp_cmdshell when logged into SQL Server as a non-sa account:

Msg 50001, Level 1, State 50001
xpsql.c: Error 1314 from LogonUser on line 476
Alternately, you may receive the following:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1314 from CreateProcessAsUser on line 492


CAUSE

The errors listed in the "Symptoms" section are raised due to your errant rights set on the SQLAgentCmdExec Windows NT account that MSSQLServer is running on.


WORKAROUND

Make sure that the Windows NT account that the MSSQLServer service is running on is a member of the local administrators group on the server.

Check that the account that the MSSQLServer service is running on has the following user rights enabled: 


   'Act as part of the operating system'
   'Increase quotas'
Also, make sure that the local SQLAgentCmdExec account has the following rights turned on: 

   'Log on as a batch job'


MORE INFORMATION

Xpsql.c is included in the sample code that ships with the product. The error on line 476 gets raised if the call to the Win32 API function: LogonUser() fails. The error on 492 gets raised if the call to CreateProcessAsUser() fails.

Error 1314 is ERROR_PRIVILEGE_NOT_HELD. This indicates that the account invoking these functions does not have sufficient user rights to complete the login. This leads many customers to reset the account privileges on the SQLAgentCmdExec account or recreate it through User Manager, or SQL Enterprise Manager.

However, what is raising these errors is the process which is invoking the API calls (Sqlservr.exe). Therefore, it is the account that the MSSQLServer service is running on that holds the incorrect and insufficient privileges. In order to successfully execute LogonUser(), the MSSQLServer account needs to have the SE_TCB_NAME (Act as part of the operating system) right enabled. In order to successfully execute CreateProcessAsUser(), the MSSQLServer account needs to have the SE_INCREASE_QUOTA_NAME (Increase quotas) rights enabled.

NOTE: For certain types of processes, CreateProcessAsUser() may also require SE_ASSIGNPRIMARYTOKEN_NAME (Replace a process level token) to be turned on.

Additional query words:

Keywords : SSrvAdmin SSrvISQL SSrvStProc kbbug6.50 kbbug7.00 kbDSupport
Version : winnt:6.5,7.0
Platform : winnt
Issue type : kbprb


Last Reviewed: January 11, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.