Logon Type variable execution


We are running 3.7.13
I’m trying to run the following code. but get an Failure | Logon failure: the user has not been granted the requested logon type at this computer

The code is:
Invoke-DbaQuery -sqlInstance $cmdb_sqlserver -Database $cmdb_sqldatabase -Query $sql -SqlCredential $cred

$cred is a variable and is a another service account(not the PSU service account) that have access to specific systems.

The issue is that I do not want my PSU Service account to have access to the SQL, therefore I have added the -sqlCredential to the command, However, my account in the $cred needs to be able to logon to the PSU server, I can see in the security log that it is failing with logon type 2.
The account only have access to logon as a batch and service on the PSU

If I grant my user local admin rights on the PSU server, then all is working fine, but I would rather not have my service account to have that kind of access to the PSU server

Why does it need to logon to the PSU server itself to be able to execute the command?
Or is there something I’m misunderstanding?

It seems like dbatools shouldn’t have to login locally. Not sure why it would be doing that since those should just be SQL credentials sent to the SQL server.

Not sure if this is related but i found some info that seems kinda the same but with the anonymous logon account.

Hi Adam

Thanks for the reply.

It’s kinda the same issue but the issue is not logging into the SQL, as the service account can do that.

The issue is that the Invoke-DbaQuery with the -SqlCredential on it ties to use the user specified to logon to the PSU server or whatever server you execute the command on.

So it would more seem to be the dbatools command set that is the issue on how that works.

I found this one: [Bug] Invoke-DbaQuery not using SqlCredential with windows login in PowerShell 7 · Issue #7514 · dataplat/dbatools · GitHub

I need to do some more testing. as that looks to be the issue I’m having