SQL 2005: Error 15401 - Windows NT user or **group** not found RRS feed

  • Question

  • Hello,

    I have a fresh install of Windows Server 2008 R2 x64 Standard Edition and SQL Server 2005 x64 on top of that, with Service Pack 3. This server, SERV, is in DOMAINA which trusts (one-way) DOMAINB.

    When I try to create a login for a group in my domain, I get the following error:
    Msg 15401, Level 11, State 1, Procedure sp_grantlogin, Line 49
    Windows NT user or group 'DOMAINA\groupname' not found. Check the name again.

    I get the same error whether using "create login [domaina\groupname] from widnows", "sp_grantlogin [domaina\groupname]" or Manangement Studio.
    This happens ONLY for groups , both in DOMAINA and DOMAINB domains. I can add individual users from both A and B and local computer. For local computer groups: I can add default Windows groups (like Users, Guests, Event Log Readers) by [BUILTIN\Event Log Readers], etc. but not by SERV\Event Log Readers; for custom created group MyLocal it's the other way around: I can via SERV\MyLocal but not via BUILTIN\MyLocal.

    If I add a domain group from either DOMAINA or DOMAINB to a local group, whether my own or builtin, I can login to SQL Server remotely using creditentials of a user who belongs to that group (user DOMAINB\ux belongs to DOMAINB\group and DOMAINB\group to SERV\MyLocal). After sp_grantlogin [serv\mylocal] of course.

    Another server in the same domain, running Windows Server 2003 R2 with SQL Server 2005 (9.0.3042, 32 bit edition) does not suffer from the same issue.

    I suppose I could work around this by creating local groups and adding my domain groups to them but I do not like this solution for so many reasons. Any ideas? I even reinstalled Windows and SQL Server from scratch as I thought it'd help, it didn't though.

    Thursday, August 20, 2009 12:39 PM


All replies

  • Open a support case on the issue.  It looks like a specific configuration issue on your Windows 2008 installation.  It should resolve groups and users equally.  It isn't SQL Server doing the resolution, it is Windows performing that task and returning an error to SQL Server, which SQL Server then just bubbles up to you.

    As far as the code, you should be using CREATE LOGIN, not sp_grantlogin.  sp_grantlogin works, because that is how it was done in SQL Server 2000.  sp_grantlogin is no longer necessary now that the CREATE LOGIN command was added in SQL Server 2005, so you can expect this sp to be removed in a future version of SQL Server.
    Mike Hotek BlowFrog Software, Inc. http://www.BlowFrogSoftware.com Affordable database tools for SQL Server professionals
    Saturday, August 22, 2009 11:05 AM
  • I opened a bug report on Microsoft Connect, for anyone interested: https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=484113
    Sunday, August 23, 2009 9:19 AM
  • We have the same problem and are interesting to find out about a solution.

    Our environment:
    2000 Server AD
    2008 Server Std
    Sql Server 2008 Ent.

    The link, https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=484113, does not work.

    Thanks in advance!

    Wednesday, September 30, 2009 9:38 AM
  • We have the same problem too..

    BTW.. your Domain Controller is a Windows Server 2000?

    Did you find a solution?
    Diogenes Caraballo
    Wednesday, January 6, 2010 5:31 PM
  • We have the same issue. Windows 2000 domain controllers, Windows 2008 server (64 bit) SQL Server 2008
    It is the excat same issue, single logins work fine, adding a group as a login does not work. I don't see how this issue can be marked as answered since the link shown above does not work and no satisfactory answer is forthcoming.
    Monday, February 22, 2010 12:48 PM
  • Hello,

    For some unknown reason, the topic was set to private, I changed it to public. If you still can't access the website with bug report, try this link https://connect.microsoft.com/SQLServer/feedback/details/484113/cannot-create-login-for-domain-group.

    Don't expect to find a solution though, I failed. Together with MS we discovered that it is not a SQL Server only bug but also other services in Windows Server 2008 are affected. So I opened another bug report (https://connect.microsoft.com/WindowsServerFeedback/feedback/details/488785/trust-relationship-error-when-adding-accounts-from-windows-2000-ad-domain) and never heard from MS again. Because of this bug and the urgency of the project, I downgraded 2008 to 2003 so I did not follow the issue any more.
    Monday, February 22, 2010 1:13 PM
  • Hi All,

    We did find the solution when using Server 2008 in a Windows 2000 domain.
    We applied the patch in the link below and are now able to assign a group a login


    Hope this helps someone else.
    Monday, February 22, 2010 10:55 PM