What rights must the Backup Exec Service or Logon Account have when backing up local and remote computers in a Windows 2000 and 2003 Active Directory environment, in order to back up the System State.

Article:TECH17611  |  Created: 2008-01-21  |  Updated: 2011-08-13  |  Article URL http://www.symantec.com/docs/TECH17611
Article Type
Technical Solution

Product(s)


Issue



What rights must the Backup Exec Service or Logon Account have when backing up local and remote computers in a Windows 2000 and 2003 Active Directory environment, in order to back up the System State.


Error



Unable to attach to \\\System?State.
Access is denied. To Backup or Restore System State, Administrator privileges are required. 

 


Solution



The following assumes that the Backup Exec (tm) (BE) media server is in a Windows Active Directory domain environment. This would mean that the media server is backing up the System State of computers that are members of the Active Directory domain (that is, domain controllers and member servers) and not standalone servers that are not part of an Active Directory domain. With this in mind, the Backup Exec service or logon account needs to be one of the following:

1. The user account called Administrator in the domain of the media server. This account can back up the System State of the server that Backup Exec for Windows NT and Windows 2000 is on, and can back up the System State of remote computers in the same domain as the Backup Exec media server. If the user account Administrator found in the root domain of the Active Directory forest is used as the Backup Exec service or logon account, then Backup Exec for Windows NT and Windows 2000 can back up the System State of remote computers throughout the Active Directory forest.

Note: Due to security implementations in Microsoft Small Business Server, the Backup Exec service or logon account must be Administrator.

2. A user account that is a member of the built-in Administrators security group in the domain of the media server. An account that is a member of this group can back up the System State of the server that BE is installed on, and can back up the System State of remote computers in the Active Directory environment of the Backup Exec media server.

3. A user account that is a member of the built-in global Domain Admins security group in the domain of the media server. By default, this built-in global group is a member of the built-in local Administrators security group. An account that is a member of this group can back up the System State of the server that BE is on and can back up the System State of remote computers in the Active Directory environment of the media server.

4. A user account that is a member of the built-in global Enterprise Admins security group of the Active Directory environment. The user account called Administrator in the root domain of the Active Directory forest is by default a member of this group. An account that is a member of this group can back up the System State of the server that BE is on and can back up the System State of all remote computers in the Active Directory environment.

5. A user account that has been assigned the right to Log on as a service within the Local Security Policy on the remote server or within the Group Policy Object that affects the remote server. The user account must also have administrative right on the remote server. With this scenario, the BE service or logon account does not need to be a member of Domain Admins. Either place the BE service or logon account in the local Administrators group on every computer, or set the Attach As or Set Default attach info information to each remote server's System State (Figure 1).

NOTE: However, this would not apply to any domain controllers you try to back up, since on the domain controller you cannot add a user account to the Local Administrators group.

 

Special Notes:

 
  • If the BE services are designated to use the Local System account, then it can only back up the System State of that server. BE cannot however back up the System State of remote computers in the Active Directory environment.  
  • If the BE service or logon account is a member of  the Backup Operators group only, then it is able to bypass standard file system security for the purpose of backup and restore only. It will however not be able to back up the System State.
  • If you attempt to make the BE services use an account that does not have sufficient group membership, then you will receive an error in the failed job log such as:
 
Unable to attach to \\<Server>\System?State.
 
Access is denied. To Backup or Restore System State, Administrator privileges are required.
 

 

 

 
 



Legacy ID



243033


Article URL http://www.symantec.com/docs/TECH17611


Terms of use for this information are found in Legal Notices