CA Process Automation Agent fails to run using a domain system account

Document ID : KB000121511
Last Modified Date : 26/11/2018
Show Technical Document Details
Issue:
Error message below when running script operator via PowerShell:

Cannot create process as user - Access is denied.

User-added image
Environment:
CA IT Process Automation 4.3.03
CA IT Process Automation 4.3.02
CA IT Process Automation 4.3.01
Cause:
It is clearly a permission issue in the operational system level. This issue happens when a Domain User is used for running a script operator. Normally a patch upgrade is related to this issue when a security update for example is necessary.
Resolution:
It is a permission issue in the operational system level. There is no specific action to be taken because a permission issue can have many causes e.g. Windows policies being applied, upgrades, security updates and other many causes.

There are some action you can take in order to fix this issue:
  • If you have other users who have access and are running scripts properly, try to use them replacing that user who is not working because of the permission issue. Of course, this action is useful only if you are sure the issue is on the user itself and not related to the server or even to the Windows policies;
  • On the Agent Server side, make sure the user intended to run scripts has enough permission for writing in the temp folders (including profile temp folder);
  • If you are using a Domain User, you can workaround this issue using a local user;
  • Make sure there is no Windows policy issue. If the server was updated, we cannot guarantee the policies are applied properly. Even though you are able to log into the server with that user, we cannot guarantee commands ran by the agent work properly;
  • Try to review the Process Automation Agent service and try to run it as a Local System Account;
  • Reinstall the Agent using a local user instead of a domain user;
  • As a drastic solution, you can restore the server snapshot with a image before the issue;
  • The default behavior for the Process Automation Agent is to start as local system. If you decided to use it as AD Service Account, it has a very different permissions structure than normal accounts in Active Directory. They have policies assigned to them and modified based on need of the account, and are usually heavily restricted;
  • Although the user is a Domain Account and member of the Administrators group, Windows can be quite particular with permissions. In the Local Security Policy on the Process Automation Agent, please check Local Policies > User Rights Assignment and specifically add the Administrator group to the following: Act as part of the operating system, Log on as a batch job and Log on as a service;
  • Use "User Account Control" as "Never Notify".