How to define/grant the required user rights/permissions for a Backup Exec Service Account (BESA)

Article:TECH136148  |  Created: 2010-01-16  |  Updated: 2014-12-08  |  Article URL http://www.symantec.com/docs/TECH136148
Article Type
Technical Solution

Product(s)

Issue



The backup selections show All Resources with nothing is available for selection beneath as shown in Figure 1.
 
Figure 1:

 


Error



Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server

 


Cause



[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory.

[ B ] If the BESA does not have the right to Logon as a batch job.

By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.

For more information on this user right, refer to:
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

[ C ] If the BESA is included in Deny logon as a batch job policy.

'Deny logon as a batch job' determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies. 

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job.
 
[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection.


[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.

 


Solution



[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory.
 
[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights:
  • Act as part of the operating system [ a.k.a. TcbPrivilege ].
  • Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
  • Create a token object (which can be used to access any local resources)    [ a.k.a. TokenRightPrivilege].
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)  [ a.k.a. BatchLogonRight ].
  • Log on as a service  [ a.k.a. ServiceLogonRight ].
  • Manage auditing and security log [ a.k.a. AuditPrivilege ].
  • Restore files and directories (provides rights to restore files and directories  [ a.k.a. RestorePrivilege ].
  • Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].
For more information on any of the above User Rights Assignment please refer to : http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx.

Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
 
SymHelp can test the Backup Exec Service Account permissions and group memberships for you.
 
Click here to download the tool:
 

For Windows Server 2003 :

1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.

2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).

Figure 2
 

5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.


For Windows Server 2008 :

1. Go to Start | Programs | Administrative Tools | Group Policy Management.

2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.

3. Right click on Default Domain Controllers Policy and click on Edit. 

 

 

Ensure that the group policy being edited is set to Enforced or else the changes would not apply.

4. From the left pane, expand Computer Configuration and go to  Windows Settings | Security Settings | Local Policies | User Rights Assignments.



5. From the right pane, right-click Create a token object.


6. Click "Add user or Group".



7. For the "Add user or Group" window, click Browse.


8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.

9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilige.


6. Repeat steps 1 through 9 for any additional policies.
 

[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even  adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)


Figure 4


Refresh the group policy

Click Start > Run and type gpupdate /target:computer /force (this will force update the Group Policy

[ D ] Make sure BESA has all the required permissions

1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network Logon Accounts.  Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins.  Remove this account from any groups that do not have full administrative rights. 

2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:

  • Domain Admins (Primary Group)
  • Local Admins or Administrators
  • Remove Domain Users from the list.

Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.

Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
 
[ E ]
 Make sure all Backup Exec services are started.




Legacy ID



355654


Article URL http://www.symantec.com/docs/TECH136148


Terms of use for this information are found in Legal Notices