- Remove From My Forums
-
Question
-
-
Edited by
Friday, September 20, 2013 5:30 PM
-
Edited by
Answers
-
Hi DevXYZ,
Have you checked the other possible reasons for this issue?
The login does not exist
- Verify that the Windows login still exists in the domain. Your network administrator may have removed the Windows login for specific reasons, and you may not be able to grant that login access
to the SQL Server. - Verify that you are spelling the domain and login name correctly and that you are using the following format:
DomainUser
- If the login exists, and it is correct, and you still receive the error, continue with the following sections in this article.
Duplicate security identifiers
In a Windows domain, unique Security Identifiers (SIDs) are automatically assigned to Windows logins in the domain. When you add a Windows login as a SQL Server login, the SID is stored in a system table in SQL Server. If you try to add a new login which has
the same SID as an existing SQL Server login, the 15401 error occurs.
Authentication failure
You might receive error 15401 when the domain controller for the domain where the login resides (the same or a different domain) is not available for some reason.
- If the login is in a different domain than the SQL Server, verify that the correct trusts exist between the domains.
- Verify that the domain controller of the login is accessible by using the
ping command from the computer that is running SQL Server. Check both the IP address and the name of the domain controller.
After you tried all the possible methods list above, you still receive the same error, please check the error log as Dean Savović mentioned above and share us the detailed error message here
as we can analysis further.Thanks
Candy Zhou
-
Edited by
Candy_Zhou
Monday, September 23, 2013 6:14 AM
edit -
Proposed as answer by
RohitGarg
Sunday, September 29, 2013 2:33 PM -
Marked as answer by
Candy_Zhou
Thursday, October 3, 2013 7:24 AM
- Verify that the Windows login still exists in the domain. Your network administrator may have removed the Windows login for specific reasons, and you may not be able to grant that login access
| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic | helpviewer_keywords |
|---|---|---|---|---|---|---|---|---|---|
|
MSSQLSERVER_15401 |
MSSQLSERVER_15401 |
suresh-kandoth |
sureshka |
vencher, tejasaks, docast |
12/25/2020 |
sql |
supportability |
reference |
15401 (Database Engine error) |
MSSQLSERVER_15401
[!INCLUDE SQL Server]
Details
| Attribute | Value |
|---|---|
| Product Name | SQL Server |
| Event ID | 15401 |
| Event Source | MSSQLSERVER |
| Component | SQLEngine |
| Symbolic Name | SEC_INVALIDLOGINORGROUP |
| Message Text | Windows NT user or group ‘%s’ not found. Check the name again. |
Explanation
This error occurs when [!INCLUDEssNoVersion] is unable to create a login based on Windows principal (such as a domain user or a Windows domain group). An error message like the following is reported to the user
Error 15401: Windows NT user or group ‘%s’ not found. Check the name again.
Cause
The error can occur because of any of the following reasons:
- The login does not exist in the active directory.
- The domain controller is unavailable.
- You are not using BUILTIN as the domain name when adding a local account.
- Name resolution issues.
User action
Review the following sections for actions you can take for each of the different causes mentioned above.
Verify the login you are trying to add
- Verify that the Windows login still exists in the domain. Your network administrator may have removed the Windows login for specific reasons, and you may not be able to grant that login access to the [!INCLUDEssNoVersion].
- Verify that you are spelling the domain and login name correctly and that you are using the following format:
DomainUser - If the login exists, and it is correct, and you still receive the error, continue with the following sections in this article.
Verify if the domain controller is available
You might receive error 15401 when the domain controller for the domain where the login resides (the same or a different domain) is not available for some reason.
If the login is in a different domain than the [!INCLUDEssNoVersion], verify that the correct trusts exist between the domains.
Verify that the domain controller of the login is accessible by using the ping command from the computer that is running [!INCLUDEssNoVersion]. Check both the IP address and the name of the domain controller.
Verify the domain name for local accounts
Local (non-domain) accounts require special handling. If you are trying to add a local account from the local computer that is running [!INCLUDEssNoVersion], ensure you are using BUILTIN as the domain name.
Check for name resolution issues
If you have problems resolving the name of a computer that is involved in adding the login or group, you might receive error 15401.
Verify that your name resolution mechanism (such as, WINS, DNS, HOSTS, or LMHOSTS) is configured correctly.
See also
- Test a channel between the local computer and its domain
- LogonSessions v1.4
- sp_change_users_login (Transact-SQL)
Posted by Sudarshan Narasimhan on October 17, 2012
I was working on a customer scenario on my Virtual machine recently. I have a Windows 2008 Domain controller and a another member server that runs my SQL 2008 instance (all VM’s running on Hyper-V). When I tried to create a new Windows login from SSMS, I got this well-known error 15401
Error Text
Msg 15401, Level 11, State 1
Windows NT user or group ‘DOMAINusername’ not found. Check the name again.
There is already a KB article that talks about some of the known scenarios when you could get Error 15401 in SQL Server. None of these matched my scenario.
How to troubleshoot error 15401
http://support.microsoft.com/kb/324321/en-us
Since these are Virtual Machines running on Hyper-V, I had made sure when I created the VM’s that none of the machine SID’s are duplicates. I had used newSID.exe to ensure that each client machine joined to my DC had a unique machine SID.
Since I was not able to add a new login, I used xp_logininfo to see if I can retrieve
Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
Could not obtain information about Windows NT group/user ‘MyDomainNewUser’, error code 0x6fd.
Pay attention to the Windows Error Code 0x6fd that was returned by xp_logininfo.
0x6fd (hex) translates to Win32 error 1789 –> The trust relationship between this workstation and the primary domain failed.
Now, I have only 1 Domain Controller so there are no cross-domain trusts I need to setup etc. If that is your scenario, you might want to check what the trust level between your different domains are. Anyways, in my case that did not apply. So what could be the issue here?
My SQL Server service account was running under a domain account. This account is what SQL Server uses to query AD and retrieve account info when creating a new login. If your SQL Server is running on Windows 7/2008 R2, there is a hotfix that might fix this issue for you –> http://support.microsoft.com/kb/976494
To resolve this issue I followed these steps. Please note that this worked for me and might not work for your scenario. I am posting this out just as an FYI in case it helps anyone else encountering a similar scenario.
1. Login to the SQL Server machine and open a command prompt with elevated credentials (Run-As Administrator).
2. Run the following command which will reset the password for the machine account
netdom resetpwd /server:<DomainControllerName> /userd:<domaindomainadminuser> /passwordd:<password>
E.g. netdom resetpwd /server:CONTOSO-DC /userd:CONTOSOadministrator /passwordd:MyDCPassw0rd
Expected output: The machine account password for the local machine has been successfully reset.
3. Restart the Netlogon service on the SQL Server machine.
4. Clear the Kerberos tickets on the SQL Server machine from command prompt
klist purge
Excepted output: Deleting all tickets: Ticket(s) purged!
5. After this was done, I re-ran the xp_logininfo ‘contosonewlogin’ and this time it completed and did not give error 15401. [I did not restart my SQL Server service]
6. Now, I was able to add the login from SSMS or using CREATE LOGIN.
A key point here is step #2, the netdom command needs to be run from the machine whose machine account password you want to reset. To reset a machine account password, you need someone with domain admin credentials. So you need a Domain admin credentials as this is required for netdom.exe. In our scenario, the machine has to be the SQL server machine. More information about what netdom.exe does is available in this KB article –> http://support.microsoft.com/kb/325850
HTH.
Regards,
TheSQLDude
This entry was posted on October 17, 2012 at 1:55 AM and is filed under Security, Windows.
Tagged: create login, DNS, error creating login, lookupaccountname, Msg 15401, SID, SQL Server, trust relationship. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
I am trying to add a domain user. I am doing the following.
- Expand Security
- Right click on Logins
- Select New Login…
- Login name select search
- Click on location and select entire directory
- Type username
- Click checkname
- The name goes underlined and add some more info
- Click OK
- Click OK
I then get the following error:
I have found http://support.microsoft.com/kb/324321.
- The Login does exist
- There is no Duplicate security identifiers
- Authentication failure I don’t think is happening as I can browse AD
- Case sensitivity should not be the problem as I am doing the checkname and it is correcting it.
- Not a Local account
- Name resolution again I can see the AD
I have rebooted the server (VM) and the issue is still happening. Any ideas?
Edit
I have also:
- Domain member: Digitally encrypt secure channel data (when possible) – Disable this policy
- Domain member: Digitally sign secure channel data (when possible) – Disable this policy
- Rebooted server
http://talksql.blogspot.com/2009/10/windows-nt-user-or-group-domainuser-not.html
Edit 2
I have also:
- Digitally encrypt or sign secure channel data (always)- Disabled
- Rebooted
Edit 3
Since the question have moved site I no longer haves access to comment etc…
I have checked the dns on the server to a machine where it is working. The DNS servers are the same on both…
splattne
28.5k20 gold badges98 silver badges147 bronze badges
asked Mar 15, 2011 at 16:46
1
Old question but I had the same issue today on SQL Server 2012 (web) when trying to create a login for a domain user, something I’ve done numerous times before. The issue for me turned out to be the SQL Server agent which had not started up following an overnight server reboot.
answered Jan 20, 2014 at 16:48
I had the same issue and it occurred because I just added a group in AD and was now trying to add it in SQL Server. I suspected that the Active Directory information had not yet propagated. After forcing it to propagate, I could add my group without error.
answered Jul 10, 2012 at 18:09
I had a very similar situation where I could browse the domain and actually see the users but as soon as I clicked add it would give me an error. I was adding my users to Windows groups and not SQL Server but this sounds very close to what was happening to me.
I fixed it be setting my Domain Controller as the primary DNS. Once I did that everything worked fine. If your environment has multiple DNS servers make sure that the Domain Controller is the primary and see if that helps.
answered Mar 15, 2011 at 19:57
ShaneShane
1,8594 gold badges20 silver badges34 bronze badges
I’ve seen this happen recently where the check against AD fails on creation because the when the name gets «auto-corrected» through the lookup it doesn’t use the correct case, but it seemed to be relevant to the version of SSMS installed. Scripting the action out and executing from a new query window worked.
answered Jun 12, 2012 at 2:38
Trying to add the local administrators group to a SQL server with sys admin (sa) server roles? Getting the error?below? I have a very simple fix.
Windows NT user or group ‘COMPUTERNAMEAdministrators’ not found. Check the name again. (Microsoft SQL Server, Error: 15401)
Instead of adding “COMPUTERNAMEAdministrators” change it to “BUILTINAdministrators” and it will work just find. Just erase your computer/server name and replace with BUILTIN.
This fix should work for SQL Server 2005, 2008, 2012, and 2014.