Requirements for BESA
Some issues that may occur if BESA does not have the required rights:
• Backups or Restores are failing
• Log on Account Errors
• In the backup selections “Enable Trust relation" keeps displaying
• During an install of Backup Exec for Windows Servers when entering the service account information the error "Unable to authenticate with the user and password information given for \User name " appears .
• On system boot, the Backup Exec Device and Media Service fails to start automatically and generates Event ID 7041
All of the Backup Exec services (except the Backup Exec Remote Agent) run under a user account which the Backup Exec system services use. When a user account is configured for the Backup Exec services to use it is known as the BESA (Backup Exec Service Account).
During the Backup Exec install the Backup Exec service Account (BESA) and the Backup Exec system logon account are both configured to use the same user name. If you change the user name for the service account, then you should also change the Backup Exec system logon account and make sure it is using the appropriate credentials.
In group policy the following User Rights need to be associated with the Backup Exec User Account
• Act as part of the operating system
• Backup files and directories
• Create a token object
• Log on as a batch job Log on as a service
• Manage auditing and security log (BE 2010 R3 and later)
• Restore files and directories
• Take ownership of files and other objects
1. How to get those User Rights Assignments looking good?
If the User Rights Assignments need to be changed on a local machine:
Go to Start, click Control Panel, click Administrative Tools, click Local Security Policy then under Security Settings, expand the Local Policies and Select User Rights Assignment.
To Change the User Rights on the Domain Controller:
Go to the Administrative Tools, click on the Domain Controller Security Policy , expand the Local Policies and Select User Rights Assignment.
In the pane on the right side select the Policy that needs to be changed or checked for the Backup Exec Service Account
2. User Rights finishing touches
Also make sure the account is not added under:
Deny logon as a service
Deny logon as a batch
After making changes run "gpupdate” to refresh local and Active Directory-based Group Policy settings, including security settings
NOTE: The service account also needs to be a member of
• Domain Admins (Recommended) or Administrators
• Backup Operators
3. Backup Exec Account password
Important: In Active Directory the Backup Exec Account password needs to match the password for the Backup Exec System Logon Account.
4. Don't forget the Backup Exec Service Account (BESA)
Make sure that in the Backup Exec console the System Logon is set in "Domain\Username" format