Automic Workload Automation

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

Does your agent process run under an administrative account or "system"? Sounds like that may be the issue here. CreateProcessAsUser​ is indeed a message passed through straight from Win32 API and something goes wrong there, most likely lack of permissions for the OS agent process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

​In fact, the error is definetly about the process not having enough rights in Windows.

Error 1314 as reported by Automic is Win32 API's ERROR_PRIVILEGE_NOT_HELD (1314) verbatim :)
Original Message:
Sent: 09-05-2019 02:34 AM
From: Carsten Schmitz
Subject: Re-Visit - A required privilege is not held by the client

Does your agent process run under an administrative account or "system"? Sounds like that may be the issue here. CreateProcessAsUser​ is indeed a message passed through straight from Win32 API and something goes wrong there, most likely lack of permissions for the OS agent process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

Hi Tim,
on windows server 2012 R2 I have disabled User Access Control and I also edited the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
--> EnableLUA
--> It should be set to 0.

This is the old post where I found this advice:
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=784689#bma3f06bfc-0e06-4fd7-ac6f-a201a541324d.



Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

> ​I have disabled User Access Control 

While that probably does the trick, me thinks there should (in an ideal world) be a better way short of disabling one of the major pillars of system security in a Windows server, system wide :(
Original Message:
Sent: 09-05-2019 02:57 AM
From: Claudia Zanchi
Subject: Re-Visit - A required privilege is not held by the client

Hi Tim,
on windows server 2012 R2 I have disabled User Access Control and I also edited the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
--> EnableLUA
--> It should be set to 0.

This is the old post where I found this advice:
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=784689#bma3f06bfc-0e06-4fd7-ac6f-a201a541324d.



Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

​I agree, don't disable UAC.  Administrative rights (believe it or not) is not enough.  You have to open the server's Local Security Police, expand Local Policies and select User Rights Assignment.  Locate each of the policy and add the user to that policy.
Original Message:
Sent: 09-05-2019 03:09 AM
From: Carsten Schmitz
Subject: Re-Visit - A required privilege is not held by the client

> ​I have disabled User Access Control 

While that probably does the trick, me thinks there should (in an ideal world) be a better way short of disabling one of the major pillars of system security in a Windows server, system wide :(
Original Message:
Sent: 09-05-2019 02:57 AM
From: Claudia Zanchi
Subject: Re-Visit - A required privilege is not held by the client

Hi Tim,
on windows server 2012 R2 I have disabled User Access Control and I also edited the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
--> EnableLUA
--> It should be set to 0.

This is the old post where I found this advice:
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=784689#bma3f06bfc-0e06-4fd7-ac6f-a201a541324d.



Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

Hi Tim,


did you perform the following step as described in the docu https://docs.automic.com/documentation/webhelp/english/AA/12.3/DOCU/12.3/Automic%20Automation%20Guides/help.htm#Installation_Manual/InstallAgents/InstalltheAgents.htm ?

Agents running on Windows Server 2012 and higher versions: To avoid problems while executing actions (access denied), you should change the value of User Account Control: Run all administrators in Admin Approval Mode to Disabled in the Security Settings / Local Policies / Security Options section of the Local Security Policy application (secpol.msc). This ensures that the Windows Agent using the local Windows administrator account (although in the administrator group) can execute actions properly.

------------------------------
Engineering Program Manager
Broadcom
------------------------------

Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

Thanks everyone for the additional info.  I am waiting for the end user to get back to me to try some of this.  It could be a couple of days.  I will update with the results then.

------------------------------
Developer
State of Colorado
------------------------------

Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

In state government, no one at the agency level is willing to modify or disable UAC.  So that suggestion does not work in my environment.

The end user and server admin of the agent finally got back to me so I could review their agent installation and automic service account.  In this case, it was all about permissions at the folder level.  Even though the automic service account was assigned to the administrator role, it did not have full control on the Automic folder.  On the Automic folder, right click Properties/Security/Edit and give the service account full control.  I had the admin update the privileges on the folder and now jobs run without permission errors.  To verify, the full control was removed and got permission errors again.

Thanks again everyone for your input.


------------------------------
Developer
State of Colorado
------------------------------

Original Message:
Sent: 09-05-2019 02:35 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Thanks everyone for the additional info.  I am waiting for the end user to get back to me to try some of this.  It could be a couple of days.  I will update with the results then.

------------------------------
Developer
State of Colorado

Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

Try going to secpol.msc on the target system, then Local Policies -> User Rights Assignment and add 'Everyone' (or whatever user you want) to each of the items above (like 'Act as part of the operating system') until you "hit" the one causing the problem. Once you find it, test with the desired user instead of 'Everyone'.

------------------------------
Sr. Consultant
HCL Technologies
------------------------------

Original Message:
Sent: 09-12-2019 12:43 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

In state government, no one at the agency level is willing to modify or disable UAC.  So that suggestion does not work in my environment.

The end user and server admin of the agent finally got back to me so I could review their agent installation and automic service account.  In this case, it was all about permissions at the folder level.  Even though the automic service account was assigned to the administrator role, it did not have full control on the Automic folder.  On the Automic folder, right click Properties/Security/Edit and give the service account full control.  I had the admin update the privileges on the folder and now jobs run without permission errors.  To verify, the full control was removed and got permission errors again.

Thanks again everyone for your input.


------------------------------
Developer
State of Colorado

Original Message:
Sent: 09-05-2019 02:35 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Thanks everyone for the additional info.  I am waiting for the end user to get back to me to try some of this.  It could be a couple of days.  I will update with the results then.

------------------------------
Developer
State of Colorado

Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------

​Sorry, can not resist :)

I absolutely second that UAC should not be disabled as a blanket solution, as sadly many companies simply do.

On the other hand, we're all running a utility software called an Agent on our high value servers. That agent, a rather large networking binary which, shall we say, nobody would expect to be even statistically bug-free under the best of circumstances, which ran fully suid root on our Linux servers for a long time (and still partly does), and runs as "system" on our Windows servers. That software is closed source, and to date there have been no independent code reviews published ever as far as I am aware. The crypto for many years was at least raising suspicion of "roll your own crypto", and though in recent years there have been reports of it being AES256, there are a multitude of reports of other companies ruining the security of any well-known cypher by way of implementation.

I don't know much about state government, but I know the day a really inquisitive auditor comes to town is the day I'm off of work with very mysterious, fast onset migraines :D
Original Message:
Sent: 09-12-2019 12:43 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

In state government, no one at the agency level is willing to modify or disable UAC.  So that suggestion does not work in my environment.

The end user and server admin of the agent finally got back to me so I could review their agent installation and automic service account.  In this case, it was all about permissions at the folder level.  Even though the automic service account was assigned to the administrator role, it did not have full control on the Automic folder.  On the Automic folder, right click Properties/Security/Edit and give the service account full control.  I had the admin update the privileges on the folder and now jobs run without permission errors.  To verify, the full control was removed and got permission errors again.

Thanks again everyone for your input.


------------------------------
Developer
State of Colorado

Original Message:
Sent: 09-05-2019 02:35 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Thanks everyone for the additional info.  I am waiting for the end user to get back to me to try some of this.  It could be a couple of days.  I will update with the results then.

------------------------------
Developer
State of Colorado

Original Message:
Sent: 09-04-2019 04:52 PM
From: Tim Osgood
Subject: Re-Visit - A required privilege is not held by the client

Hello,

I have a new agent installed and am trying to run a simple JOBS to do a dir command.  I get this error:
20190904/133346.883 - U02001040 Error in function 'CreateProcessAsUser', error code '1314', error description: 'A required privilege is not held by the client.'.
20190904/133346.883 - U02001000 Job 'JOBS.WIN.NEW.2' could not be started. Error code '1314', error description: 'A required privilege is not held by the client.'

I've seen a post with this information:
This is a Windows message and usually means the User running the job or the Agent is missing one of the following privileges:

• Act as part of the operating system
• Replace a process level token
• Logon as service
• Logon as batch job 
• Restore files and directories
• Adjust memory quotas for a process
• Back up files and directories 

The login object user has full admin rights on the server and the client has R,W & E privileges on that agent.

Any other options?

Thanks

------------------------------
Developer
State of Colorado
------------------------------
​​