Yes we did.
I don't remember how 🙂 Give me a few hours to chase up the details.
I remember it ended up being a PSS fix which was nice to have them help.
Oh I remembered the PSS persons name and found the steps she recommended:
I suggest that you try to implement the below changes in AD:
1. Add the SQL service account (SVCNS02IS0V001SQL) into the Windows Authorization Access group
To add the SQL service account into the Windows Authorization Access group, do as follows:
- Open ADUC (Active Directory Users and Computers) console on a domain controller which hosts the user account - SVCNS02IS0V001AGT.
- Go to the Builtin container. Find Windows Authorization Access Group
- Open its properties. Under the Members tab, add the SQL service account into the list.
- Apply the changes.
- Restart the SQL service to re-logon the SQL service account.
- Check if the issue persists.
2. Also, confirm if the SVCNS02IS0V001SQL service account has at least Read permission on the user account object (SVCNS02IS0V001AGT) for this attribute:
Read tokenGroupsGlobalAndUniversal