Joe Webb Blog

Musing and observations about SQL Server, other technogies, and sometimes just life in general

Error 15401 when creating a new Login

by Joe Webb in  

Recently, a client asked that I grant database access for several of their new employees. The client uses SQL Server 2000 and has an Active Directory in place to manage domain users and resources. Windows Authentication is used almost exclusively in this environment.

As I dutifully created the new Logins, granted access to the required databases, and assigned the users to the appropriate database roles, everything went as expected - that is, until I got to the last two employees on the list. As I attempted to create a new Login for those two employees, I received the following error:

Error 15401: Windows NT user or group MYCLIENT\Sally not found. Check the name again.

Fortunately, I had seen this error before and knew its likely cause.

Each user in Active Directory is given a unique security identifier, or SID. It's statistically impossible for any two users to receive the same SID. A SID is associated with a user account throughout its existence. SIDs are the reason why you cannot simply create a new user account of the same name to replace a user account that was inadvertently deleted and expect the permissions and group membership to transfer over to the new user account.

A SID also persists through name changes to the user account. If a domain user account is renamed to something completely different, its SID remains the same. If you rename a user account from John Brown to Sally Smith, the Active Directory considers this the same user account.

That's what happened in this case. Although the last two names on the list were new hires for the company, they were hired to replace former employees. Unbeknownst to me, the Domain Administrator did not create new user accounts for these individuals, rather he renamed the user accounts of the former employees that these new hires replaced. This left their SID intact.

The former employees had database Logins that used Windows Authentication. When I attempted to create a Login for the new employees, SQL Server realized that the SID already existed and it threw Error 15401.

To resolve this, I identified and deleted the former employee Logins that these two new hires were to replace. Then I could create a new Login for the new employees. Problem solved.

Obviously the best scenario would be to avoid this situation altogether. Proper change management procedures would have allowed me to delete the former Logins when the employees left the company, preventing this minor incident while making for a more secure database installation as well.

For more information, see Knowledge Base article 324321.

Cheers!

Joe

kick it on DotNetKicks.com

Legacy Comments
Steve G.
2007-09-13		 re: Error 15401 when creating a new Login
This is what sp_change_users_login was designed for. If the login in question is an owner of resources then you can't delete the login. Fortunately, SQL Server gives you an "out". Use the system stored procedure sp_change_users_login to update the SIDs and bring the database login in line with SQL Server login.

This situation will also happen when you restore a database onto another server. If say, you have a disk crash and are doing recovery, all your users will wind up in this same boat unless you restore the master database as well (not for the faint of heart).

Steve G
Joe Webb
2007-09-13		 re: Error 15401 when creating a new Login
Steve - Thanks for providing the additional info.

In the scenario I mentioned, the users were only end users and not owners of database objects. As a result, I only delved into the basic cause and simple resolution.

But you're right, there are other ways to address these kinds of situations.

Thanks!

Joe
snow boots for women
2010-10-15		 re: Error 15401 when creating a new Login
As I attempted to create a new Login for those two employees, I received the following error:
columbia jackets
2010-10-16		 re: Error 15401 when creating a new Login
preventing this minor incident while making for a more secure database installation as well.
fur boots
2010-10-19		 re: Error 15401 when creating a new Login
To resolve this, I identified and deleted the former employee Logins that these two new hires were to replace. Then I could create a new Login for the new employees. Problem solved.

furry boots | womens snow boots | columbia outlet | columbia sportswear jackets | the north face jackets | north face jacket | cheap mac makeup | discount makeup
hanly
2010-10-26		 re: Error 15401 when creating a new Login
This super video converter for mac is developed by Emicsoft Studio, it is currently the best video converter running under Mac os x, comparied by isqunite, Visualhub and other Video Converter for Mac Free vide
Supra For Sale
2011-06-11		 re: Error 15401 when creating a new Login
There are several ways of finding cheap used cars for sale, but selecting the right one is very difficult. Initially you have to decide about what kind or type of vehicle you want such as convertibles, coupes, sedans, roadsters, sport utility vehicles, multi purpose vehicles, pickup trucks or minivans. For example, those who are looking for a four-door station wagon, you can start the research over the internet and find some of the old cars for sale online with local dealers, authorized dealers and classified websites. Purchasing cheap used cars in not that difficult as you just have to do a bit of research online on different websites or online forums and auctions.
Sanjeev Bhargava
2011-07-07		 re: Error 15401 when creating a new Login
i am unable to conect mirror server error is comming