There are some permissions that the SQL Server Agent requires to work in both inside SQL Server and at Windows level.
The SQL Server Agent should be sysadmin in SQL Server, if it doesn’t have this permission the SQL Server Agent will fail to start.
At Windows level the SQL Server Agent requires the below permission (added to the respective policy) to work properly.
- Log on as a service: It determines which service accounts can register a process as a service.
- Replace a process level token: It allows a windows account to launch a new process under a different user account. This permission enables the SQL Server Agent service account to launch processes that “run as” the user accounts defined in the proxy.
- Bypass traverse checking: This permission allows a windows account to traverse a directory structure, even though the account may not have access on the individual levels of the directory tree.
- Adjust memory quotas for a process: It is required so that SQL Server agent can adjust memory quotas for memory-intensive jobs.
- Log on as a batch job: When executing scheduled tasks in the context of a different user, SQL Server Agent will first create a new “batch logon session” that runs in the security context of this user. A batch logon session is a session created without any interaction from the user, as opposed to an “interactive” logon session, which is created when a user physically logs on to the machine. This permission enables SQL Server Agent to create a batch logon session.
To know about all the policies available check it here.
If you have provided the above 6 permissions to the SQL Server Agent service account you can rest assured that it will work as expected.