I have a number of SQL Server Agent jobs running CmdExec statements.
They are simple jobs that call simple batch files.
They are run with a Run As: Proxy account, that has permissions to run as a CmdExec proxy, with a relevant linked Credential defined.
However when I try to run the job I get the following error:
Executed as user: PROXY_ACCOUNT.
The process could not be created for step 2 of job (reason: Access is denied).
The step failed.
When I grant the SQL Server Agent account permissions on the drive that the Proxy Account is trying to access, everything works.
This despite the fact that the Proxy Account already had permissions on the relevant drive.
As per the definition of proxy accounts the security context of the job step I'm running should be defined by the Proxy Account.
The documentation and articles about Proxy Accounts that I was able to find so far all indicate that when running the job step that has a Proxy Account defined, the SQL Server Agent should impersonate the credential, and run it with the Proxy Accounts security context.
So why is it that the Agent account also needs permissions on the relevant drive?
Am I misunderstanding something about the workings of a SQL Server Agent Proxy Account?
