SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager

Article translations Article translations
Article ID: 911305 - View products that this article applies to.
Bug #: 413203 (SQLBUDT)
Expand all | Collapse all

SYMPTOMS

If you run a SQL Server Agent job which has a step configured to “Run As” a specified proxy account, you may receive the following error message in the job history:

Error:
Executed as user : Domain\Account.
The process could not be created for step Step Number of job Unique Job ID (reason: A required privilege is not held by the client). The step failed.
This error message may commonly affect the following job step types:
  • Operating system (CmdExec) Job Step
  • SQL Server Integration Services Package Job Step
  • Replication job step types Job Step
Additionally, when you try to run a replication agent job, the replication agent job may fail and you may receive an error message that resembles the following:
Executed as user: <UserAccount>. Replication-Replication Snapshot Subsystem: agent <AgentName> failed. Executed as user: <UserAccount>. A required privilege is not held by the client. The step failed. [SQLSTATE 42000] (Error 14151). The step failed.

CAUSE

This problem occurs because the Windows Service Control Manager cannot grant the required permissions to run agent jobs to the new domain account.

SQL Server Configuration Manager will take additional steps beyond changing the service account or password. These steps will add the service account to the appropriate group membership which provides the necessary permissions.

You will receive the second error message mentioned in the Symptoms section when the SQL Server Agent service account does not have the required operating system permissions to spawn the necessary child process under the context of the proxy account.

Note This error message is not typically caused by the proxy account itself, but rather by the SQL Server Agent service account trying to impersonate the proxy account. The SQL Server Agent Service account is missing the required privileges to do impersonation.

RESOLUTION

To resolve this problem, use SQL Server Configuration Manager to change the domain account back to a startup account. Then, use SQL Server Configuration Manager to change the startup account to a domain account. When you do this, SQL Server Configuration Manager will add the domain account to the following security group:
SQLServer2005SQLAgentUser$ComputerName$InstanceName
Therefore, SQL Server Configuration Manager will grant the required permissions to run agent jobs to the domain account.
To resolve the problem, follow these steps:
  1. Set the SQL Server Agent service account in SQL Server Configuration Manager to the LocalSystem account.
  2. Stop and then start the SQL Server Agent service.
  3. Reset the SQL Server Agent service account in SQL Server Configuration Manager back to the original account.
  4. Stop and then start the SQL Server Agent service.
You can also reset the password of the SQL Server Agent service account in SQL Server Configuration Manager.

To avoid this problem in the future, we recommend that you use SQL Server Configuration Manager instead of the Windows Service Control Manager to modify startup accounts.

For more information about how to change the SQL Server service account, visit the following Microsoft Web sites:

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For SQL Server 2005, the following user groups are created by the SQL Server Setup program:
  • Default instance: SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER
  • Named instance: SQLServer2005SQLAgentUser$ComputerName$InstanceName
For SQL Server 2008, the following user groups are created by the SQL Server Setup program:
  • Default instance: SQLServerSQLAgentUser$ComputerName$MSSQLSERVER
  • Named instance: SQLServerSQLAgentUser$ComputerName$InstanceName
Those groups have the appropriate permissions to allow proxy accounts to be impersonated.

For more information about the required permissions for a SQL Server Agent service account, visit the following Microsoft Web sites:

Properties

Article ID: 911305 - Last Review: October 1, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition
  • Microsoft SQL Server 2005 Workgroup Edition
  • Microsoft SQL Server 2008 Standard
  • Microsoft SQL Server 2008 Developer
  • Microsoft SQL Server 2008 Enterprise
  • Microsoft SQL Server 2008 Workgroup
Keywords: 
kbsql2005repl kbexpertiseadvanced kbbug KB911305

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com