Understanding Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures
|Article:TECH130255|||||Created: 2010-01-22|||||Updated: 2013-03-21|||||Article URL http://www.symantec.com/docs/TECH130255|
If the account Backup Exec uses to attach with to perform a backup or restore operation does not have the required permissions, the following error can occur:
Access Denied, Cannot Attach to Resource
CASO (Central Administration Server) or SSO (Shared Storage Option)
Backup Exec provides the facility to save and maintain multiple logon accounts. These logon accounts are used when performing various operations in the Backup Exec interface. Logon accounts are used for the following: Internal application functions such as the communication between Backup Exec Services and the Backup Exec Database, application configuration tasks such as creating and configuring backup-to-disk folders and data selection for the purposes of creating selection lists, backing up and restoring data.
The logon accounts maintained in Backup Exec (other than the account used for the Backup Exec services) are independent of accounts maintained locally, or centrally, on Windows, Mac, Linux, Active Directory or other operating systems or directory services applications. For the logon accounts in Backup Exec to function as intended they must correspond to accounts on the local Windows system, Active Directory or remote systems, as is appropriate, and be given rights assignments to access data and system objects as necessary. NOTE: since the BE accounts are independent of the systems they interact with, care should be taken to maintain account settings and passwords as needed. Changes to accounts in Backup Exec do not effect change to the related accounts on the Windows system, Active Directory or remote systems.
1. Logon account for Backup Exec Services - by default this is the account specified during installation and is assigned to all the BE services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems service which run as the Local System account. NOTE: these services can be configured from the Backup Exec Services Manager which can be launched from the BE UI status bar or Tools Menu.
2. System logon account - This account is used to perform application specific configuration tasks such as copying jobs and using the BE Command Line Applet. By default, this is the same account that was specified during installation and is also used as the account for the Backup Exec services.
3. Default logon account - This is the account that is set as the default logon account in Backup Exec for the user currently using the Backup Exec User interface. In other words, it is the account in Backup Exec that is tied to your local or Domain logon that you are logged on to the system with that is hosting the Backup Exec application. Again, by default, this is the account that you specified when installing the Backup Exec application and is the account used by the Backup Exec services and specified as the System logon account.
For installation of Backup Exec you must be logged in with an account that has Administrative rights on the server. This is so that the installation routine can access the file system, registry and backup devices to make necessary configuration changes.
As part of the installation process an account must be specified for the Backup Exec services, this account must have local administrative rights on the server. By default, during the installation process, the account specified for the Backup Exec services is assigned the right to "logon as a service" locally, or on the domain, as is appropriate. The service account will also be granted full rights to the BEDB SQL database that is created during the install. The account specified will be used by all Backup Exec services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems, these services will us the Local System account by default. For proper functionality the services using the Local System account should be left configured in this manner.
Note: if the BEDB database is hosted on a server other than the local Backup Exec Media Server, the account will also have to be a member of the Domain Admins group. The System Account specified in the Backup Exec Logon Accounts Management utility should have the same rights as the service account for best functionality. Best practice: to make the System Account the same account as the service account.
About Logon Rights and Backup Devices:
Backup Devices are accessed using the credentials assigned to the Backup Exec Services. Since Backup Exec can not pass unique credentials to backup devices, care should be taken to ensure that external devices (such as NAS devices) can accept the service credentials or have an equivalent account with appropriate rights. Also, Backup-to-Disk folders should have appropriate rights assigned for the resources being protected to that target device. (Example: when Exchange backup sets are sent to a B2d folder, the user specified will require appropriate Domain and Exchange Server access rights on that folder for GRT (Granular Restore Technology) to function properly.
About logon rights required to protect NTFS volume data:
Backup Exec requires either membership in the Backup Operators group, or Administrators group to protect NTFS file data. Specifically, Backup Exec requires the following rights:
1. Backup files and directories
2. Restore files and directories
3. Allow log on locally (Windows 2000, 2003 and XP only)
4. Logon as Batch (Windows 2008/Vista and above)
Best Practice (for ease of use): Make the primary account in BE used to create selection lists and backup jobs a member of the Domain Admins or domain Administrators group.
About logon rights required to protect Microsoft Exchange data:
Backup Exec requires the following rights to protect Exchange data:
1. For non-GRT backups (database only with no granular restore functionality) the logon account specified must be a member of the local Backup Operators group on the Exchange server
2. For database only restores (database only with no granular restore functionality) the logon account specified must be a member of the local Administrators group on the Exchange server
3. For GRT (Granular Restore Technology) enabled backups to disk (where the disk device is local to the BE Media Server and in the same domain) the logon account specified must be a member of the local Administrators group on the Exchange server
4. For GRT backups to a tape device and ALL GRT restore operations, from tape or disk, the logon account specified must be a member of the local Administrators group on the Exchange server. In addition, the logon account must have a unique mailbox and the mailbox can NOT be hidden from the Global Address List. For Exchange 2003 the account must also be granted the Exchange Administrator, or Exchange Full Administrator role. On Exchange 2007 and 2010 servers the account must be granted the Exchange Organization Administrator role. Finally, for Exchange 2010 the account must also have the Administrator role on the AD Domain for AD access as part of the GRT operations.
Best Practice(for ease of use): Make the account in Backup Exec for Exchange backup and restore operations a member of the Domain Admins group and grant that account the Exchange Full Administrator or Exchange Organization Administrator role (as is appropriate for the version of Exchange). Also make sure the account has a unique mailbox visible in the GAL and can send and receive mail.
About logon rights required to protect Microsoft SQL data:
Backup Exec requires the following rights to protect SQL data:
The account used to protect Microsoft SQL data should have Administrator rights on the SQL server as well as the SQL databases. This is necessary specifically for SQL database restore procedures, where the SQL services or cluster groups may need to be controlled as part of the restore operation.
About logon rights required to protect Microsoft SharePoint data:
1. For SharePoint backup and restore operations the account specified in Backup Exec must have local administrator rights on all the Servers participating in the SharePoint farm as well as an administrator on the associated SQL databases
2. For the purpose of SharePoint GRT item restores the account must also be granted the Site Collection Administrator role on the SharePoint site
Best Practice (for ease of use): Make the account a member of the Domain Admins group in the domain where the SharePoint farm is located and grant the account the Site Collection Admin role in SharePoint. For additional information, review the following:
Pre-requisites for Backup Exec Service Account (BESA) to backup Microsoft Office SharePoint Server (MOSS) 2007 / (MOSS) 2010
About logon rights required to protect Microsoft Active Directory data:
All backup and restore operations performed against a Microsoft Active Directory domain database, including GRT restore operations, require the account used to be a member of the Domain Admins group.
About logon rights required to protect Microsoft Hyper-V virtual machine data:
Microsoft Hyper-V virtual machine data protection requires that the account be a member of the local Administrators group on the Hyper-V host. For App-GRT operations (Application GRT, wherein any Microsoft databases which have Backup Exec Agent support are able to be restored using the GRT functionality when backed up as part of a virtual machine) the account used must have local administrator rights on the virtual system as well as the rights specified for the specific agent required. See other related sections of this document for additional detail as is appropriate.
About logon rights required to protect VMware virtual machine data (also referred to as AVVI, Agent for VMware Virtual Infrastructure):
The following specific rights are required for backup operations (as specified on the Virtual Center server or the ESX host as is appropriate):
1. VMware Consolidated Backup User role, which comprises the following rights:
a. Virtual Machine Configuration: Disk Change Tracking and Disk Lease
b. Virtual Machine Provisioning: Allow read-only disk access and Allow virtual machine download
c. Virtual machine state: Create snapshot and Remove snapshot
The following specific rights are required for restore operations (as specified on the Virtual Center server or the ESX host as is appropriate):
1. Resource: Assign virtual machine to resource pool
2. Virtual machine > Configuration:
a. Add existing disk
b. Add new disk
c. Add or Remove device
e. Change CPU count
f. Change Resource
g. Disk change Tracking
h. Disk Lease
i. Host USB device
k. Modify device setting
l. Raw device
m. Reload from path
n. Remove disk
p. Reset guest information
r. Swapfile placement
s. Upgrade virtual hardware
3. Virtual machine > Interaction:
a. Power Off
b. Power On
c. Virtual machine > Inventory
d. Create new
4. Virtual machine > Provisioning:
a. Allow read-only disk access
b. Allow virtual machine download
5. Virtual machine > State:
a. Create snapshot
b. Remove snapshot
c. Revert to snapshot
About logon rights required to protect VMware virtual machine database application data (Also referred to as Application GRT)
Backup Exec allows the granular restore of database data back to virtual machines under specific circumstances. The data must come from a Microsoft Active Directory, Exchange or SQL database. The version of the database must be supported in the current version of the product. In addition to the rights required to protect the virtual machine, the account used must also have administrator rights and the appropriate rights pertinent to the application on the virtual system. In other words, the account specified in BE to access the VM must also have all the necessary rights to fully protect the Active Directory, Exchange or SQL database present on the target system, just as if the Agent for Windows Systems was used. Please see above sections for required rights for specific database applications.
About logon rights required to protect Oracle database data:
If the target database is running on Windows the account specified must be a member of the local administrators group. On Linux the user must be a member of the beoper group. The account specified must also have SYSDBA rights on the Oracle instance being protected.
About logon rights required to protect Lotus Notes data:
The Agent for Windows Servers on the Lotus server must be running as the Local System account (default). The account specified should also have backup and restore privileges and file creation rights on the Lotus database.
About logon rights required to protect Symantec Enterprise Vault data:
To protect Enterprise Vault (EV) databases, including Compliance and Discovery Accelerator, the account specified can have any one of the following credentials:
1. The Vault Service account
2. Domain Admin group membership and Admin role on the Enterprise Vault instance
3.. A Domain account with the following:
a. Administrators group membership on all participating EV servers
b. Backup Operators group membership on servers hosting EV databases
c. Admin role on Vault Store and Index locations
4. Admin role in EV should include: EVT Manage Vault Store Backup Mode and EVT Mange Index Location Backup Mode
About logon rights required to protect Windows File System and Exchange resources with the BE Archiving Option:
1. The account specified should also be the BE service account
2. The account must be a domain member
3. For file system archiving the BE service account should have the following:
a. Local administrator rights on the target server
b. Full Control share permissions on shares selected for archiving
c. NTFS rights on shared directory selected: Modify, List Folder Contents, Read and Write
4. For Exchange mail archiving the BE service account should have the following:
a. At the Organization level, or Exchange server level, Allow setting for all permissions (or 'All' setting for 2007)
b. Send As and Receive As rights on the mailbox designated as the Archiving 'System' mailbox (NOT the "System Mailbox" as specified on the Exchange server)
5. If the media server and the protected resources are in different domains the following trust relationships should exist:
a. The media server domain, and the Exchange and File Server domains must trust the domain that the Backup Exec service account belongs to
b. The media server domain must trust the domains that contain the accounts of users whose mailboxes reside on the Exchange Servers, and that access the archived file shares and folders
About logon rights required to protect data on Linux systems using the Remote Agent for Linux or Unix Servers (RALUS):
The logon account specified must exist on the Linux/Unix target server and must be a member of the Backup Exec Operators (or 'beoper' ) group to perform a Backup or a Restore Operation. (This restriction applies even to the super user, or "root" account).
To perform a Delete Operation after a successful backup (i.e. to do the 'backup and delete the "files" operation), the logon account selected must be that of the super user.
About logon rights required for the Remote Media Agent for Linux or Unix Servers (RMALS):
Beremote.exe must run as "root".
Jobs can run with lower rights as long as the user specified is a member of the beoper group.
About installation of the Agent on Linux/Unix/Macintosh systems:
Install requires the user to be "root" to install the agent to the local or remote machines. Modification to system configuration and group files require "root" user privileges during installation process.
About logon rights required to protect data on Apple Macintosh systems using the Remote Agent for Macintosh Systems (RAMS):
The logon account used must be a member of the "admin" group, to perform a Backup or Restore Operation.
To perform a Delete Operation after a successful backup (i.e. to do the "backup and delete the files" operation), the logon account used must be that of the super user.
About logon rights required to protect data on Netware systems using the Remote Agent for Netware Systems (RANW):
The Remote Agent for NetWare requires no special login or service account to operate. Full access rights to the host server are implied by virtue of the Remote Agent being loaded from the host server console.
User rights appropriate to particular tasks are required to perform those tasks. For example, for file system backups a user must have Read, File Scan, Modify, and Access Control rights to all files they wish to backup. To backup the Novell Directory Services tree, a user must have Supervisor rights (which implies all other rights) to the tree's Root.
About logon rights required to protect SAP databases using the Backup Exec Agent for SAP applications:
SAP backup/restores are DBA initiated operations, so there is no browse for SAP database. Backup Operator rights are the minimum required to submit a SAP job. DBA can be the same as the account used for SAP job submission or you can provide any other account that has backup/restore privileges on SAP server.
In addition, the account specified must have appropriate privileges on both the SAP and Backup Exec media servers to be able to back up and restore data.
The Backup Exec service account must have the following:
- Access to selections in the jobs that are submitted by the BACKINT interface.
- Rights to the volumes on which the selections are contained
BE CPS services run with the following default configuration. This configuration should be preserved for proper functionality.
CPS Protection Agent service runs as user belonging to local/Domain Administrator group
- CPS Config writer service runs as user belonging to local/Domain Administrator group
- CPS Database service runs as Local System
- CPS Indexing service runs as Local System
- CPS Management Service must run as a user that is a member of the local/Domain Administrator group
- CPS Network Helper service runs as Local System.
- CSPS System State Manager service must run as a user that is a member of the local/Domain Administrator group
- CPS Filter driver runs in the kernel space to have full access to all protected resources
About additional logon rights considerations for a BE Central Administration Server (CASO) or Shared Storage Option (SSO) server environment:
The Backup Exec service account must have Domain Admin group membership. The BEDB database requires the Backup Exec service account to be added as administrator on the BackupExec SQL Instance.
In addition the Backup Exec service account requires the following rights:
1) Backup Files and Directories
2) Restore Files and Directories
3) Create a Token Object
4) Manage Auditing and Security Log
5) Take ownership of files and other objects
6) Act a part of the operating system (Windows 2000 only)
In most cases, the rights specified here are the minimum rights required to perform the desired backup and restore operations. If a set of "best practices" is specified, it is intended as a way to give rights that will result in the desired operation being performed but with, most often, less restrictive rights than may be desirable. This is simply to provide a starting point for troubleshooting and fine tuning rights assignments. Where more restrictive rights are required the general recommendation would be to test the desired operation with the least restrictive rights and add restrictions until the operation fails. This article was also written to address permissions requirements for the current Backup Exec version and all its options, though sections of this TechNote may apply to prior or future versions of the product.
Article URL http://www.symantec.com/docs/TECH130255