My Oracle Support Banner

CRS-4563: Insufficient user privileges Encountered When Trying to Start CRS (crsctl start crs) Following OS Patch Application (Doc ID 2407762.1)

Last updated on AUGUST 04, 2018

Applies to:

Oracle Database - Enterprise Edition - Version 11.2.0.4 and later
Microsoft Windows x64 (64-bit)

Symptoms

After stopping CRS and rebooting as part of applying an operating system patch, Cluster Ready Services (CRS) cannot be started on one node.  The command 'crsctl start crs' is failing with the following errors:

  CRS-4563: Insufficient user privileges.
  CRS-4000: Command Config failed, or completed with errors.


The following errors appear when running ocrcheck on the "failing" node.

  2018-05-18 22:21:08.641:
  CLSD:An error was encountered while attempting to open log file "D:\ORACLE\11.2.0\grid\log\racnode2\client\ocrcheck_5824.log". Additional diagnostics: (:CLSD00157:)

 

Output of the Windows command 'whoami' shows a difference in the group configuration from one node to the other:


racnode1_whoami.txt:

 

D:\ORACLE\SQL>WHOAMI /USER /GROUPS

...


racnode1\oracle S-1-5-21-3361838081-1199148454-413287352-1002

...
Group Name Type SID Attributes
============================================================= ================ ============================================= ===============================================================
...
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
...

BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner

 

AS COMPARED TO

 


racnode2_whoami.txt:

D:\ORACLE\SQL>WHOAMI /USER /GROUPS

...
racnode2\oracle S-1-5-21-3788943988-3048214040-870756408-1001

...

Group Name Type SID Attributes
============================================================= ================ ============================================= ==================================================
...
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only <===== GROUP USED FOR DENY ONLY
...
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only <===== GROUP USED FOR DENY ONLY

 

*****

As can be observed, there are two permissions or groups on node 'racnode2' that are marked as 'Group used for deny only', which are enabled on node 'racnode1' and even in the case of the Administrators group, this user is marked as 'Group owner'

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.