General file system backup/restore: How to troubleshoot the error message "Access is denied" in Backup Exec for Windows Servers

Article:TECH30739  |  Created: 2004-01-26  |  Updated: 2013-11-21  |  Article URL http://www.symantec.com/docs/TECH30739
Article Type
Technical Solution

Product(s)

Issue



General file system backup/restore: How to troubleshoot the error message "Access is denied" in Backup Exec for Windows Servers


Error



V-79-57344-33928 "Access denied" or "Access is denied"


Cause



The error message "a0008488 hex - access denied", "0xe0008488 - Access is denied" or "access is denied" is usually returned when another third party application (i.e.: Anti-virus Software) is blocking access to the file system or the logon account provided to attach to a resource does not have sufficient rights to back up the resource. Make sure first that a virus scan or the real time virus protection on a machine is not interfering with Backup Exec's ability to perform a backup or restore operation.

For error 0xe0008488 - Access is denied, it may showing following error in the Beremote logs:

Debug of beremote (see the Related Articles section for more information on debugging) may show the following error:

LP_ENV::MsgError: error 0xe0008488 processing object


Solution



Make sure that anti-virus is not attempting to scan the file while it is being backed up. Once it has been confirmed no other application is interfering with the backup or restore, most access denied messages can be resolved by providing an alternate account with local administrative rights to the resource for Backup Exec (tm) to connect with. This is most easily accomplished by using the Logon Account Manager located on the drop-down selections from the Network menu.
 
To create a new login account:
 
1.  Open the Logon Account Manager from the Network drop-down menu by selecting Network | Logon Accounts
 
2.  Click New to create a new logon account (Figure 1)
  
Figure 1
 
 
 
3.  Specify the user name and password for an account with at least local administrative rights to the target resource (Figure 2)
 
4.  Specify a description for this login account. The description should indicate the purpose of the login account i.e. Domain X Administrator or Server name Administrator
 
5.  The Notes field is optional and may be used to further describe the login account
 
6.  Select the Restricted Logon Account check box if this account should only be useable by the user who originally created the account and those who know the password to the login account
 
7.   Select Default Logon Account to make this account the default account for all newly selected resources
 
Figure 2
 
 
 
To change the logon account for a resource:
 
1.  Change to the Job Setup tab and open the job which contains the resource to which credentials are to be changed
 
2.  Select Resource Credentials from the job properties
 
3.  Select the resource to be modified and click the Change button to open the Logon Account Selection screen (Figure 3)
  
Figure 3
 
 
 

 
4.  Select the logon account to be assigned to the resource and click OK to finalize the selection
 
5.  Select Schedule from the job properties and confirm the schedule of the job. Jobs cannot be submitted without a schedule.
 
6.  Click Submit to save the job
  
Recommended accounts to use for different file system resources:  
 
Network Attached Storage (NAS) device hosted resources should be configured to use the NAS device Administration account.
Note:  Only the account which is designated as the System Logon Account at Network > Logon Accounts in the Backup Exec Interface can be used to attach to and backup/restore NAS Server Shares when a Remote Agent cannot be installed on the machine.  This account is also the only one which can be used to attach to a Backup to Disk (B2D) Folder on any type of remote file system.
  • Novell NetWare 5.x and above resources should be configured to use the Administration account (fully distinguished account names should be provided if multiple bindery contexts exist).
  • RALUS (Remote Agent for Linux and Unix Servers) requires that the beoper group exist on each host or in the NIS domain's group file. The Remote Agent installer by default will create the beoper group and add root as a member if a NIS server is not detected.
  • Windows 2000, Windows 2003, and Windows 2008 resources should be configured to use an account that has local administrative rights to the respective resource. This is best accomplished by sing an account in the Domain Administrator group for the respective domain. 
Tips and Tricks:
 
Add the Backup Exec service account to the local administrators group on the resource.
  • Change the Backup Exec service account to match the Administrative account or service account for the resource.
  • Change the Backup Exec service account from a commonly used account name (such as Administrator) to a unique account. This prevents scenarios where account names are identical but passwords vary from resource to resource.
  • Change the Backup Exec service account to a non-user account that will not be affected by regular password changes.
Please note: If the access denied error still occurs after it has been confirmed that a permissions issue does not exist, the problem can also occur because of a Firewall or DNS conflict or misconfiguration.  Make sure that both the media server and remote machines are able to resolve each other's name to the proper IP Address and any firewalls are configured properly.  For more information on this, refer to the articles below.

 "Failed to access <Server>" when trying to select remote resources located on a remote server behind a NAT Firewall or "Access denied" when trying to restore/backup remote servers.
 
Nslookup
 

Supplemental Materials

SourceUMI
ValueV-79-57344-33928
Description

Access is denied



Legacy ID



266075


Article URL http://www.symantec.com/docs/TECH30739


Terms of use for this information are found in Legal Notices