This article was previously published under Q248391
This article has been archived. It is offered "as is" and will no longer be updated.
You receive the following error when executing an operating system job through xp_cmdshell when logged into SQL Server as a non-sa account:
Msg 50001, Level 1, State 50001 xpsql.c: Error 1314 from LogonUser on line 476
Alternately, you may receive the following:
Msg 50001, Level 1, State 50001 xpsql.c: Error 1314 from CreateProcessAsUser on line 492
These errors are raised due to your errant rights set on the SQLAgentCmdExec Windows NT account that MSSQLServer is running on.
Make sure that the Windows NT account that the MSSQLServer service is running on is a domain account that is a member of the local administrators group on the server.
Make sure that the account that the MSSQLServer service is running on, as well as SQLServerAgent, have the following user rights permissions:
Act as part of the operating system.
replace process level token.
Log on as a batch job.
Also, make sure that the local SQLAgentCmdExec account has "Log on as a batch job" permissions.
NOTE: You must restart the entire server, not just the SQL Services, in order for any changes made to user rights permissions to take effect.
Xpsql.c is included in the sample code that ships with the product. The error on line 476 gets raised if the call to the Win32 API function: LogonUser() fails. The error on 492 gets raised if the call to CreateProcessAsUser() fails.
Error 1314 is ERROR_PRIVILEGE_NOT_HELD. This indicates that the account invoking these functions does not have sufficient user rights to complete the login. This leads many customers to reset the account privileges on the SQLAgentCmdExec account or recreate it through User Manager, or SQL Enterprise Manager.
However, what is raising these errors is the process which is invoking the API calls (Sqlservr.exe). Therefore, it is the account that the MSSQLServer service is running on that holds the incorrect and insufficient privileges. In order to successfully execute LogonUser(), the MSSQLServer account needs to have the SE_TCB_NAME (Act as part of the operating system) right enabled. In order to successfully execute CreateProcessAsUser(), the MSSQLServer account needs to have the SE_INCREASE_QUOTA_NAME (Increase quotas) rights enabled.
NOTE: For certain types of processes, CreateProcessAsUser() may also require SE_ASSIGNPRIMARYTOKEN_NAME (Replace a process level token) to be turned on.