By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.
If you run the Gateway as an account other than Local System, then the Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.
When performing before and after action scripts, the gateway may need the Replace a process level token right. This right is required if the gateway attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the gateway process needs the right to replace the default token associated with that subprocess.
If this right is missing, the following error may be returned during subprocess creation:
"Error creating process: A required privilege is not held by the client"
The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.