I am trying to get a CMDEXEC Proxy account working on Server 2008 R2 / SQL Server 2008 R2, and because I am working on a tightly locked down network / domain, I need to set the minimum level of rights possible.
Right now when I try to use a proxy with the SQL Agent running with a Domain service account, the attempt fails. If I set the Agent service account to Local Network, the proxy works fine.
What has now confused me is, in comparing the new server to an existing system (Server 2003 / SQL 2005,) neither of them give the Agent account the "Replace a process level token" privilege, yet the 03/05 system works. I have found that if I give the Agent account the "Replace a process..." privilege, the proxy account then works. I'd like to confirm that this is required, so I can go to the network security people to have the service account granted the required privileges.
I found this MSDN article which lists what privileges the install process grants the various SQL services.
I was also linked to this CodePlex article on creating the proxy accounts.
Too be clear:
I don't need instructions on creating a Proxy account, I've done that correctly! I need to know what privileges the SQL Agent account needs to be able to "run" the proxied job. Due to policies here, many local privileges are BLOCKED, and I am 99.9% sure this is causing my problems, so I'd really like a link to documentation that I can use to say "if the service account isn't granted this, this, and this, these jobs WILL fail unless I log in locally to run them manually."
Thanks all,
Jason A.
Jason A.