Windows Nt User or Group vcertserveradministrator Not Found Check the Name Again

This is 1 of those typical blog posts that I write for my time to come self, the guy who keeps fixing the same stuff over and over and forgets what he did the next infinitesimal.

If you desire to query information well-nigh a Windows user or grouping and its access path in SQLServer, you can use the extended stored procedure "xp_logininfo". Hither's an example:

EXEC xp_logininfo 'MyDomain\SomeUser','all';          

If everything is configured correctly, you will come across a listing of Windows accounts and the login(s) they are mapped to in SQLServer.

However, in some cases, the command fails with the infamous fault message:

          Could not obtain information most Windows NT group/user 'MyDomain\SomeUser', error lawmaking 0x5        

This happens every time SQLServer tries to query information virtually the Windows user from Active Directory and receives an error.

Understanding where the fault comes from can exist tricky, simply it can become easier to troubleshoot when you understand what happens behind the scenes and what are the nearly probable causes.

The user does not exist

This is very easy to check: does the user exist in Windows? Did you misspell the name?

You tin can bank check this from a cmd window, issuing this control:

internet user SomeUser /domain

If y'all spelled the user correctly, the command volition return information nigh it, like clarification, password settings, grouping membership and and so on.

If the user proper name is wrong and cannot be found in AD, yous will get an error message

The user name cannot be found.

Easy peasy: check your spelling and cheque your AD.

The service business relationship does not have enough privileges to query AD

As I said, SQL Server needs to query Advert to remember information virtually the user: if its service account doesn't have plenty privileges, the query will fail.

The most likely crusade for this is a misconfiguration of the service account settings in SQL Server. To exist more than specific, it is very likely that SQL Server is configured to run as a local user who has no admission to Agile Directory at all. This happens when SQL Server runs as a per-service SID or i of the built-in local accounts (local service or localsystem).

It is very easy to check what account is beingness used to run SQL Server: all you demand to do is query sys.dm_server_services.

SELECT servicename, service_account  FROM sys.dm_server_services;          

If you meet a local business relationship existence returned, go ahead and change your service business relationship to a domain account, using the Configuration Managing director.

If you even so can't query Advertising, possibly at that place is something incorrect with the permissions on your Advertising objects. Effort impersonating the SQL Server service account, open a cmd windows and event the net user control.

          > net user SomeUser /domain The request will exist processed at a domain controller for domain MyDomain  Organisation error 5 has occurred. Access is denied        

If you lot become the "Access is denied" error bulletin, you need to go to your Advert and grant read permissions on that user/OU to the service account.

The service account does not have enough privileges to impersonate the windows user

This was a bit of a surprise for me. In order to recollect information well-nigh the Windows user, SQL Server needs to impersonate it first and then will contact AD impersonating that user.

In society to impersonate a user, SQL Server needs to run under a service account user that has enough privileges to impersonate another user. This privilege is granted through a local policy.

Open the local security policy MMC (secpol.msc) and aggrandize "Local Policies", "User Rights Consignment". Find the policy named "Impersonate a client subsequently authentication" and double click it. Y'all can verify whether the service account for SQL Server is granted this privilege, straight or through 1 of its groups.

Mostly speaking, you lot don't take to alter this, because by default Windows grants this privilege to the "SERVICE" special identity. Any process running as a service is acting as the SERVICE special identity, including SQL Server. If you don't find it listed hither, add information technology back.

Windows permissions tin get tricky at times. I hope that this post helps yous (and me!) taming the beast.

mcfarlinhies1978.blogspot.com

Source: https://spaghettidba.com/2019/08/16/troubleshooting-could-not-obtain-information-about-windows-nt-group-user/