AutoSys Workload Automation

  • Private Community
 View Only

 Permissions required for a Windows service account to perform task require admin privileges

sohelsa9's profile image
sohelsa9 posted May 21, 2025 12:00 PM

Hello,

My autosys jobs fail to run on Windows server if I'm executing any command that requires admin privileges, it works fine for non-admin tasks.

My service account that I'm using in autosys job is already part of local admin group and have also granted permissions mentioned in the article

Below is the error snippet, would appreciate help here as I'm exhausted and unfortunately my support team have no clue. 

+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

System error 5 has occurred.
Access is denied.
Program 'net.exe' failed to run: Win32 internal error "Access is denied" 0x5 occurred while reading the console output

Olusegun Oduntan's profile image
Broadcom Employee Olusegun Oduntan posted May 21, 2025 05:29 PM

Try to run in elevated mode, set the parameter in the agentparm.txt file and restart the agent.

oscomponent.logon.elevated=true

Robert Hoy's profile image
Robert Hoy posted May 22, 2025 08:48 AM

Hi,

Definitely try the "run in elevate mode" suggestion before you try anything else. If that fails, you need to check for restrictions that Microsoft has coded into the net.exe command. I suspect you may be bumping up against one of these restrictions. For instance, if you try to run the "net group <group name>" on a Windows Member Server, you will get a message that says, "This command can be used only on a Windows Domain Controller." This begs the questions, what are you trying to do with the command, and from what machine are you trying to do it? You may not be able to use that command on the server you are trying to use it from now. I don't recommend putting an Autosys agent on a Domain Controller, so if it's a use of the net.exe command restricted to Domain Controllers, I would suggest pursuing an alternative using Powershell. I've had that happen to me in the past, and I've always found an alternative in Powershell that worked around those restrictions.