Could not obtain information about windows nt group user

Could not obtain information about windows nt group user

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

later when I run the code below,

Please help! Thanks,

Answers

Are you running SQL Server under LocalSystem? Best practice is to use a domain account. You could also try logging on to SQL Server with an SQL login rather than integrated security.

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

All replies

Sebastian Sajaroff Senior DBA Pharmacies Jean Coutu

Please ignore the path.

I have created the ASSEMBLY using the correct path (Very long) without problem.

My question is when I tried to change PERMISSION_SET to EXTERNAL_ACCESS;

I got «Could not obtain information about Windows NT group/user»

Then, it’s most probably related to a permissions issue

Please, take a look at the PERMISSIONS paragraph :

Requires CREATE ASSEMBLY permission.

If PERMISSION_SET = EXTERNAL_ACCESS is specified, the SQL Server login must have EXTERNAL ACCESS ASSEMBLY permission on the server. If PERMISSION_SET = UNSAFE is specified, membership in the sysadmin fixed server role is required.

User must be the owner of any assemblies that are referenced by the assembly that are to be uploaded if the assemblies already exist in the database. To upload an assembly by using a file path, the current user must be a Windows authenticated login or a member of the sysadmin fixed server role. The Windows login of the user that executes CREATE ASSEMBLY must have read permission on the share and the files being loaded in the statement.

Sebastian Sajaroff Senior DBA Pharmacies Jean Coutu

Источник

MSSQLSERVER_15404 MSSQLSERVER_15404

Сведения Details

Объяснение Explanation

15404 используется при проверке подлинности, если указан недопустимый участник. 15404 is used in authentication when an invalid principal is specified. Или олицетворение учетной записи Windows не выполняется, так как не существует связи полного уровня доверия между учетной записью SQL Server SQL Server и учетной записью домена Windows. Or, impersonation of a Windows account fails because there is no full trust relationship between the SQL Server SQL Server service account and the domain of the Windows account.

Действие пользователя User Action

Убедитесь, что участник Windows существует и его имя указано верно. Check that the Windows principal exists and is not misspelled.

Если эта ошибка — результат отсутствия связи полного уровня доверия между учетной записью службы SQL Server SQL Server и учетной записью домена Windows, то ошибку можно устранить одним из следующих способов. If this error is the result of a lack of a full trust relationship between the SQL Server SQL Server service account and the domain of the Windows account, one of the following actions can resolve the error:

Используйте для службы SQL Server SQL Server учетную запись из домена, к которому относится пользователь Windows. Use an account from the same domain as the Windows user for the SQL Server SQL Server service.

Если SQL Server SQL Server использует учетную запись компьютера, например Network Service или Local System, то домен, на котором находится пользователь Windows, должен доверенную связь с компьютером. If SQL Server SQL Server is using a machine account such as Network Service or Local System, the machine must be trusted by the domain containing the Windows User.

Источник

Could not obtain information about Windows NT group/user (error code 0x5)

November 13, 2018 at 10:18 am

1. Log into SSMS locally on the server as sa
2. Attempt to impersonate an existing «Windows authentication» (domain) account.
3. Receive error «Could not obtain information about Windows NT group/user ‘[domain\user]’, error code 0x5.»

I’ve seen quite a few posts about this issue. Some are related to running a stored procedure, some are my case exactly. However all of them don’t have the actual resolution to the issue. It seems most are content to «just create and use a SQL Server authentication login», or change the owner of the object to a SQL login.

I’m pretty sure that the issue is that the domain account running the SQL Server Service is missing a required permission in Active Directory (0x5 is access denied).
If anyone knows the missing Active Directory permission, I would be grateful.

P.S. the server is correctly auto-registering the SPN, so the service account has that much access. (required Active Directory “Write to Public Information” permissions).

Here’s the SQL for the impersonation test:

SELECT SUSER_NAME(), USER_NAME();

EXECUTE AS LOGIN='[domain]\’;
GO

—Msg 15404, Level 16, State 19, Line 4
—Could not obtain information about Windows NT group/user ‘[domain]\’, error code 0x5.

November 15, 2018 at 3:06 pm

1. Log into SSMS locally on the server as sa
2. Attempt to impersonate an existing «Windows authentication» (domain) account.
3. Receive error «Could not obtain information about Windows NT group/user ‘[domain\user]’, error code 0x5.»

I’ve seen quite a few posts about this issue. Some are related to running a stored procedure, some are my case exactly. However all of them don’t have the actual resolution to the issue. It seems most are content to «just create and use a SQL Server authentication login», or change the owner of the object to a SQL login.

I’m pretty sure that the issue is that the domain account running the SQL Server Service is missing a required permission in Active Directory (0x5 is access denied).
If anyone knows the missing Active Directory permission, I would be grateful.

P.S. the server is correctly auto-registering the SPN, so the service account has that much access. (required Active Directory “Write to Public Information†permissions).

Here’s the SQL for the impersonation test:

SELECT SUSER_NAME(), USER_NAME();

EXECUTE AS LOGIN='[domain]\’;
GO

—Msg 15404, Level 16, State 19, Line 4
—Could not obtain information about Windows NT group/user ‘[domain]\’, error code 0x5.

There are also quite a few posts that indicate the issue was with the service account and not having set password never expires.
There are also some posts where it’s some odd issue with a particular account so trying to execute xp_logininfo with a few different accounts.
And it can also happen if there are issues with communication between SQL Server and active directory.
Otherwise, the service account needs to be able to read the container with the user accounts.

Источник

Could not obtain information about windows nt group user

— Adding the transactional publication
use [MyBase]
exec sp_addpublication @publication = N’MyPublication’, @description = N’Transactional publication of database »MyBase» from Publisher »MyServer».’, @sync_method = N’concurrent’, @retention = 0, @allow_push = N’true’, @allow_pull = N’true’, @allow_anonymous = N’false’, @enabled_for_internet = N’false’, @snapshot_in_defaultfolder = N’true’, @compress_snapshot = N’false’, @ftp_port = 21, @allow_subscription_copy = N’false’, @add_to_active_directory = N’false’, @repl_freq = N’continuous’, @status = N’active’, @independent_agent = N’true’, @immediate_sync = N’false’, @allow_sync_tran = N’false’, @allow_queued_tran = N’false’, @allow_dts = N’false’
GO

exec sp_addpublication_snapshot @publication = N’MyPublication’, @frequency_type = 1, @frequency_interval = 1, @frequency_relative_interval = 1, @frequency_recurrence_factor = 0, @frequency_subday = 8, @frequency_subday_interval = 1, @active_start_time_of_day = 0, @active_end_time_of_day = 235959, @active_start_date = 0, @active_end_date = 0

use [MyBase]
exec sp_addarticle @publication = N’MyPublication’, @article = N’Dover_CarList’, @source_owner = N’dbo’, @source_object = N’Dover_CarList’, @type = N’logbased’, @description = null, @creation_script = null, @pre_creation_cmd = N’drop’, @schema_option = 0x00000000000080A3, @auto_identity_range = N’false’, @destination_table = N’Dover_CarList’, @destination_owner = N’dbo’, @vertical_partition = N’false’, @ins_cmd = N’CALL sp_MSins_dboDover_CarList’, @del_cmd = N’CALL sp_MSdel_dboDover_CarList’, @upd_cmd = N’MCALL sp_MSupd_dboDover_CarList’
GO