Article ID: 911305 - View products that this article applies to.
Bug #: 413203 (SQLBUDT)
If you run a SQL Server Agent job which has a step configured to “Run As” a specified proxy account, you may receive the following error message in the job history:
This error message may commonly affect the following job step types:
Executed as user : Domain\Account.
The process could not be created for step Step Number of job Unique Job ID (reason: A required privilege is not held by the client). The step failed.
Executed as user: <UserAccount>. Replication-Replication Snapshot Subsystem: agent <AgentName> failed. Executed as user: <UserAccount>. A required privilege is not held by the client. The step failed. [SQLSTATE 42000] (Error 14151). The step failed.
This problem occurs because the Windows Service Control Manager cannot grant the required permissions to run agent jobs to the new domain account.
SQL Server Configuration Manager will take additional steps beyond changing the service account or password. These steps will add the service account to the appropriate group membership which provides the necessary permissions.
You will receive the second error message mentioned in the Symptoms section when the SQL Server Agent service account does not have the required operating system permissions to spawn the necessary child process under the context of the proxy account.
Note This error message is not typically caused by the proxy account itself, but rather by the SQL Server Agent service account trying to impersonate the proxy account. The SQL Server Agent Service account is missing the required privileges to do impersonation.
To resolve this problem, use SQL Server Configuration Manager to change the domain account back to a startup account. Then, use SQL Server Configuration Manager to change the startup account to a domain account. When you do this, SQL Server Configuration Manager will add the domain account to the following security group:
SQLServer2005SQLAgentUser$ComputerName$InstanceNameTherefore, SQL Server Configuration Manager will grant the required permissions to run agent jobs to the domain account.
To resolve the problem, follow these steps:
To avoid this problem in the future, we recommend that you use SQL Server Configuration Manager instead of the Windows Service Control Manager to modify startup accounts.
For more information about how to change the SQL Server service account, visit the following Microsoft Web sites:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For SQL Server 2005, the following user groups are created by the SQL Server Setup program:
For more information about the required permissions for a SQL Server Agent service account, visit the following Microsoft Web sites:
Article ID: 911305 - Last Review: October 1, 2009 - Revision: 2.0