ETL Jobs installation fails with Error Number:6522,State:1,Class:16 "A required privilege is not held by the client"

Owned by Former user (Deleted)
Nov 04, 2016
2 min read


When installing the DataHub ETL jobs, SQL services accounts must have proper rights to User rights settings in the Local server security policy. In tighly regulated environments, organizations often change or restrict User/Service rights to restricted OU's and zones.



Problem: SQL engine, SQL agent, SSIS, and Reportserver service accounts do not have key system access rights to process due to AD GPO restrictions after SQL is installed and rebooted.


Solution:


Open Local Policy manager on the SQL server and check the the following services have appropriate access per the table below:


SQL Server ServicePermissions granted by SQL Server Setup
SQL Server Database Engine: (All rights are granted to the per-service SID. Default instance: NT SERVICE\MSSQLSERVER. Named instance: NT SERVICE\MSSQL$InstanceName.)Log on as a service (SeServiceLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)Permission to start SQL WriterPermission to read the Event Log servicePermission to read the Remote Procedure Call service
SQL Server Agent:(All rights are granted to the per-service SID. Default instance: NT Service\SQLSERVERAGENT. Named instance: NT Service\SQLAGENT$InstanceName.)Log on as a service (SeServiceLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
SSIS:(All rights are granted to the per-service SID. Default instance and named instance: NT SERVICE\MsDtsServer110. Integration Services does not have a separate process for a named instance.)Log on as a service (SeServiceLogonRight)Permission to write to application event log. Bypass traverse checking (SeChangeNotifyPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege

If the policy that removed the service accounts is a Global Policy Object, then the GPO must be changed to accommodate or DH will fail upon policy refresh interval or restart.