Error: "Unable to execute atomic job <xxx> on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client." while running queries using bv-Control for Windows

book

Article ID: 157385

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Error: "Unable to execute atomic job <xxx> on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client." while running queries using bv-Control for Windows

Unable to execute atomic job(xxx) on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client. Context Information:

The Agent (DCA) was not created (attempt 5 of 5). Error (AgentManager::Restart() - CreateAgentAndWaitForRegister(): A required privilege is not held by the client. Context Information: AgentInterfaceInstance::CreateAgentAndWaitForRegister(): A required privilege is not held by the client. Context Information: AgentQEAgentIf::PrivateCreateAgent() - App (D:\Program Files\Symantec\BVNTQE\BVQEAgentStub.EXE), Params ("D:\Program Files\Symantec\BVNTQE\BVQEAgentStub.EXE" DCA 872) - CreateProcessAsUser(token=0x0000057C) has failed with error code: 0x00000522

Exception was caught.), Error code(1314). Total number of starting agents is 1.Query ID: A507FAD3-231C-4F9D-99AF-CCAEAF6B3688

Cause

User Rights Assignment for Replace a process level token not assigned correctly for the service account.

Resolution

 Add the Service account used for running the queries to the User Rights Assignment for Replace a Process Level Token and this should resolve  the issue.

Note :-  Regarding ‘Replace a process level token’ URA, it determines which user accounts can initiate a process to replace the default token associated with a launched subprocess, and gives services the ability to start another service. So enabling a privilege in an access token allows the process to perform system-level actions that it could not previously, which is a great risk. Hence accounts are not added automatically in it . In Windows 2000, by default, only Local System accounts had this privilege. In windows 2003, Network Service and Local System had this and in windows 2008 by default Network Service and Local Service have this privilege. So if you are running a Windows 2008 Domain, the local admin won’t be having this URA because it is not there by default. You will have to manually add it.

Reference Technote article :-
http://technet.microsoft.com/en-us/library/cc957225.aspx
This right is not normally granted to any user, and can be used to attain administrative rights.

By default only Local System Accounts have these rights.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx