Windows Jobs Fail with <Insufficient privileges> Error

Document ID : KB000095744
Last Modified Date : 14/05/2018
Show Technical Document Details
All jobs running on a Windows agent are failing with an <Insufficient privileges> error. The jobs were working fine until the WA Agent service on the Windows machine was reconfigured to run as a specific user rather than the local system account. When viewing the joblog spool file (autorep -J <job_name> -t A), the following error appears at the bottom...

CAWA_E_20038 CreateProcessAsUser failed due to: A required privilege is not held by the client..Error code: 1314

When the WA Agent service on a Windows machine is configured to run as a local or domain user rather than the local System account, the local or domain user must have the following...

1. User must be part of the Administrators Group

2. Required User Rights
Act As A Part Of The Operating System
Access This Computer From The Network
Logon As A Service
Increases Quota
Logon As A Batch Job
Log On Locally
Replace A Process Level Token
Create a token object
Create global object
Impersonate a client after authentication
Take ownership of files and other objects

The CreateProcessAsUser error mentioned above is specific to the "Increases Quota" and "Replace A Process Level Token" user rights. In the Microsoft reference for the CreateProcessAsUser function, the privilege requirements are defined as follows...

Typically, the process that calls the CreateProcessAsUser function must have the SE_INCREASE_QUOTA_NAME privilege and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege if the token is not assignable.

SE_INCREASE_QUOTA_NAME - Required to increase the quota assigned to a process.
User Right: Adjust memory quotas for a process.

SE_ASSIGNPRIMARYTOKEN_NAME - Required to assign the primary token of a process.
User Right: Replace a process-level token.

If the local or domain user running the WA Agent service does not have both of these user rights, the jobs will fail with the <Insufficient privileges> error.