How to define/grant the required user rights/permissions for a Backup Exec Service Account (BESA)
|Article:TECH136148|||||Created: 2010-01-16|||||Updated: 2014-12-08|||||Article URL http://www.symantec.com/docs/TECH136148|
Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server
[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory.
[ B ] If the BESA does not have the right to Logon as a batch job.
By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.
For more information on this user right, refer to:
[ C ] If the BESA is included in Deny logon as a batch job policy.
'Deny logon as a batch job' determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies.
[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.
- Act as part of the operating system [ a.k.a. TcbPrivilege ].
- Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
- Create a token object (which can be used to access any local resources) [ a.k.a. TokenRightPrivilege].
- Log on as a batch job (allows a user to be logged on by means of a batch-queue facility) [ a.k.a. BatchLogonRight ].
- Log on as a service [ a.k.a. ServiceLogonRight ].
- Manage auditing and security log [ a.k.a. AuditPrivilege ].
- Restore files and directories (provides rights to restore files and directories [ a.k.a. RestorePrivilege ].
- Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].
Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
For Windows Server 2003 :
1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.
2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.
3. Select the Group Policy tab.
4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).
5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.
For Windows Server 2008 :
1. Go to Start | Programs | Administrative Tools | Group Policy Management.
2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.
3. Right click on Default Domain Controllers Policy and click on Edit.
Ensure that the group policy being edited is set to Enforced or else the changes would not apply.
4. From the left pane, expand Computer Configuration and go to Windows Settings | Security Settings | Local Policies | User Rights Assignments.
5. From the right pane, right-click Create a token object.
6. Click "Add user or Group".
7. For the "Add user or Group" window, click Browse.
8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.
9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilige.
6. Repeat steps 1 through 9 for any additional policies.
[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)
Refresh the group policy
Click Start > Run and type gpupdate /target:computer /force (this will force update the Group Policy)
[ D ] Make sure BESA has all the required permissions
1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network - Logon Accounts. Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins. Remove this account from any groups that do not have full administrative rights.
2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:
- Domain Admins (Primary Group)
- Local Admins or Administrators
- Remove Domain Users from the list.
Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.
Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
[ E ] Make sure all Backup Exec services are started.
Article URL http://www.symantec.com/docs/TECH136148