Video Screencast Help

Minimum Backup Rights or Alternative Solution

Created: 17 Apr 2014 • Updated: 17 Apr 2014 | 2 comments
This issue has been solved. See solution.

Hi All,

We are currently running Backup Exec 2010 R3 and we are looking for a work around for the rights needed to perform backups.  We have a maintanence account set up to perfrom all of our backups that's currently in the Domains Admin group.  I understand that Symantec needs the backup account to have Domain Admin rights, but we have been forced to remove the account out of that group due to policy changes.  Do we have any options other than adding the account to the local administrators group on each server to perform the backups?  Symantec's solution seems to only be adding the account responsible for backups to the Domain Admins account.  Any suggestions would be greatly appreciated.

Operating Systems:

Comments 2 CommentsJump to latest comment

Colin Weaver's picture

You will not be able to backup the System State of a Domain contoller if you are not a domain admin so your new policy is going to need some exceptions.

For other servers local admin may be enough however please note that Backup Operator is not always enough.

If your have an Exchange mailserver we do have some documentation on limited rights against certain recent updates (Service packs/hotfixes) and you will need to look at the recent documents for these updates and confirm the versions of Exchange, Backup Exec and Operating System meet what these documents state can be protected with limited permissions.

There is also a document on VMware permissions needed if this is present in your environment.

You may also find (with testing) that you can get away with less permissions during backups than are needed for restores although we won't have necessarily documented this.

Exchange permissions info:

VMware permisssions info:

papertiger's picture

Thanks Colin,

I've already reviewed the documentation on Exchange.  I was more concerned with the rest of our members servers.  I think the best resolution to our problem is to add our maintenance account to the Backup Operators group and add that group to the local admins group as a work around.  As for the DC's, I'm not sure how we will approach that issue.

Again -- thanks for the response.