Error: "Unable to execute atomic job on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client." while running queries using bv-Control for Windows

Article:TECH200054  |  Created: 2012-11-23  |  Updated: 2013-02-10  |  Article URL http://www.symantec.com/docs/TECH200054
Article Type
Technical Solution


Issue



Error: "Unable to execute atomic job <xxx> on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client." while running queries using bv-Control for Windows


Error



Unable to execute atomic job(xxx) on SQE(SQE_Name) because of an error. Error Message: (AtomicJobBase::Execute(): A required privilege is not held by the client. Context Information:

The Agent (DCA) was not created (attempt 5 of 5). Error (AgentManager::Restart() - CreateAgentAndWaitForRegister(): A required privilege is not held by the client. Context Information: AgentInterfaceInstance::CreateAgentAndWaitForRegister(): A required privilege is not held by the client. Context Information: AgentQEAgentIf::PrivateCreateAgent() - App (D:\Program Files\Symantec\BVNTQE\BVQEAgentStub.EXE), Params ("D:\Program Files\Symantec\BVNTQE\BVQEAgentStub.EXE" DCA 872) - CreateProcessAsUser(token=0x0000057C) has failed with error code: 0x00000522

Exception was caught.), Error code(1314). Total number of starting agents is 1.Query ID: A507FAD3-231C-4F9D-99AF-CCAEAF6B3688


Cause



User Rights Assignment for Replace a process level token not assigned correctly for the service account.


Solution



 Add the Service account used for running the queries to the User Rights Assignment for Replace a Process Level Token and this should resolve  the issue.

Note :-  Regarding ‘Replace a process level token’ URA, it determines which user accounts can initiate a process to replace the default token associated with a launched subprocess, and gives services the ability to start another service. So enabling a privilege in an access token allows the process to perform system-level actions that it could not previously, which is a great risk. Hence accounts are not added automatically in it . In Windows 2000, by default, only Local System accounts had this privilege. In windows 2003, Network Service and Local System had this and in windows 2008 by default Network Service and Local Service have this privilege. So if you are running a Windows 2008 Domain, the local admin won’t be having this URA because it is not there by default. You will have to manually add it.

Reference Technote article :-
http://technet.microsoft.com/en-us/library/cc957225.aspx
This right is not normally granted to any user, and can be used to attain administrative rights.

By default only Local System Accounts have these rights.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx





Article URL http://www.symantec.com/docs/TECH200054


Terms of use for this information are found in Legal Notices