This article is to explain a scenario I started facing in my work environment after some bulk Windows Security patches were rolled out to my server. The SQL server agent jobs running with proxy accounts started failing. This error message recorded in the job history.
A required privilege is not held by the client. The step failed.
I had to go through many blogs to finally identify the exact root cause and find the fix for this on a permanent basis. Many blogs were telling me multiple steps in different order, which was a bit confusing. This article will just give the minimal and exact steps to be followed to fix the issue.
In addition to Security patching, you may observe similar issues in the following scenarios as well.
Scenario 1
SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager. In this blog, Microsoft suggests the solution for this case.
- Set the SQL Server Agent service account in SQL Server Configuration Manager to the LocalSystem account.
- Stop and then start the SQL Server Agent service.
- Reset the SQL Server Agent service account in SQL Server Configuration Manager back to the original account.
- Stop and then start the SQL Server Agent service.
Scenario 2
The same error may occur when a SQL Server service account is changed from Local Service \ Local System Account without adding it to the proper group policy.
I tried the above solution provided by Microsoft in Scenario 1, but it didn’t fix the issue. I assume since my root cause is not the one explained as in Scenario 1.
The root cause of my issue seems to be the removal of the SQL Serivce account from certain Local Groups on the server. The steps that I followed in the environment in my case are as follows :
First, I worked with the AD \ Wintel team to add the SQL Server service account the privilege called 'Replace a Process Level Token' by following the below steps.
- Login with your Administrator account on the Windows machine.
- Go to the Control Panel and open the Administrative Tools.
- Open theLocal Security Policy and expand Local Policies.
- Under User Rights Assignment, open the Replace a Process Level Token.
Alternatively you can use the gpedit.msc command also to open the Group Policy Editor Window.
Note : Most of the cases, only Windows \ AD admin will have this access to alter the group policies. Once they add this, they need to intitate a
gpupdate /force
.
within an elevated permission command line.
Next, configure the SQL Server service account to the same domain account that you have added to the 'Replace a Process Level Token' group policy in Step 1.
Finally, restart the SQL Database Engine Services and SQL Server Agent services to take the above changes into effect.
Hope this could help some SQL DBAs facing the similar issue.