🟠 High   ⏱ 5–30 min  Last verified: 18 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

SQL Agent jobs fail simultaneously and history shows credential or proxy failures. Scheduled maintenance, ETL, and backup jobs stop, increasing risk of data loss and reporting delays.

Environment & Reproduction

This is common after password rotation, GPO policy tightening, or duplicate service credential use across systems. Failures reproduce when SQL Agent executes any job step requiring the locked identity.

Get-Service SQLSERVERAGENT
Get-WinEvent -LogName Security -MaxEvents 80 | Where-Object {$_.Id -in 4625,4740} | Select TimeCreated,Id,Message
Get-WinEvent -LogName Application -MaxEvents 40 | Where-Object {$_.ProviderName -match 'SQLSERVERAGENT'}

Root Cause Analysis

Frequent causes are stale stored credentials, failed password sync in service control manager, account lockout threshold, and constrained delegation/proxy misconfiguration for job subsystems.

Quick Triage

Identify lockout source, confirm account status, and map failed jobs to credential dependencies.

net user  /domain
Get-EventLog -LogName Security -Newest 100 | Where-Object {$_.EventID -eq 4740}
Invoke-Sqlcmd -Query "EXEC msdb.dbo.sp_help_job"

Step-by-Step Diagnosis

Validate SQL Agent service identity, job owner/proxy bindings, and domain account policy interactions.

sc.exe qc SQLSERVERAGENT
Invoke-Sqlcmd -Query "SELECT name,enabled,owner_sid FROM msdb.dbo.sysjobs"
Invoke-Sqlcmd -Query "SELECT * FROM msdb.dbo.sysproxies"
secedit /export /cfg C:/Temp/sec-policy.cfg
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Agent login and service-account diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Unlock and reset the service account securely, update SQL Agent service credentials, and restart dependent services in sequence.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

# Reset in AD per policy, then update service credential
sc.exe config SQLSERVERAGENT obj= DOMAINsvc_sqlagent password= 
Restart-Service SQLSERVERAGENT -Force
Invoke-Sqlcmd -Query "EXEC msdb.dbo.sp_update_job @job_name='Maintenance', @enabled=1"
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
SQL Agent lockout remediation workflow β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Move to gMSA for SQL Agent where possible to eliminate manual password rotation drift and reduce lockout risk.

Install-ADServiceAccount -Identity gmsaSqlAgent
Test-ADServiceAccount gmsaSqlAgent
sc.exe config SQLSERVERAGENT obj= DOMAINgmsaSqlAgent$ password= ""
Restart-Service SQLSERVERAGENT

Verification & Acceptance Criteria

Pass criteria: SQL Agent remains running, failed jobs execute successfully, and no new 4625/4740 bursts occur for the service identity.

Get-Service SQLSERVERAGENT
Invoke-Sqlcmd -Query "EXEC msdb.dbo.sp_start_job @job_name='Maintenance'"
Get-WinEvent -LogName Security -MaxEvents 40 | Where-Object {$_.Id -in 4625,4740}

Rollback Plan

If new credential rollout fails, revert SQL Agent to prior known-good identity and disable noncritical jobs until root cause is confirmed.

sc.exe config SQLSERVERAGENT obj= DOMAINsvc_sqlagent_old password= 
Restart-Service SQLSERVERAGENT
Invoke-Sqlcmd -Query "EXEC msdb.dbo.sp_update_job @job_name='NonCriticalJob', @enabled=0"

Prevention & Hardening

Adopt gMSA, enforce unique service credentials, and monitor lockout events with alerting mapped to SQL Agent job failures.

Register-ScheduledTask -TaskName 'DetectSqlAgentLockouts' -Action (New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-Command "Get-WinEvent -LogName Security -MaxEvents 100 | ? Id -eq 4740"') -Trigger (New-ScheduledTaskTrigger -Daily -At 02:00)

Related to login failed for user errors, SQL Agent proxy credential failures, and domain lockout policy violations tied to stale service passwords.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft guidance for SQL Agent security, group managed service accounts, and Active Directory account lockout troubleshooting on Windows Server 2022.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.