Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Service accounts for NetBackup Client

Created: 09 Oct 2012 • Updated: 09 Oct 2012 | 9 comments
sirin.zarin's picture

Hi all,

Can somebody tell what rights are needed to run NetBackup Client services on Windows for non admin account and non Local System Account?

i found this http://www.symantec.com/business/support/index?page=content&id=TECH33693
and found this http://www.symantec.com/business/support/index?page=content&id=TECH50318

//////////////

 

The NetBackup Client Service must be started an account which has the following permissions:

- Act as part of the operating system

- Replace a process level token

- Logon as a service

- Create a token object

Change the permissions for the account starting the NetBackup Client Service and restart the service. 

//////////////

Dnd set them to the user under which the NetBackup Client service runs, but it did not help.

Maybe someone else has ideas...

 

 

Discussion Filed Under:

Comments 9 CommentsJump to latest comment

Marianne's picture

Please help us understand the reason for your query? Not sure what this means?

Dnd set them to the user under which the NetBackup Client service runs, but it did not help.

It did not help for what? 

Are you trying to use the Java Console to logon to Windows Master?

Why Java and not Windows Admin Console?

What steps have you followed to config Java for Windows logon?

What is the Windows version on your Master?

Which NBU version?

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

sirin.zarin's picture

Hello Marianne,

I use NBU 7.1 with Master on linux and Media on Windows and Linux. I have NetBackup Client on Windows  client (win 2003\2008).

I'm not talking about the console, I'm talking about NetBackup Client system service on the client server.

rather I'm talking about a service account to run the NetBackup Client service is not from the administrator and not on Local System Account on Windows client (win 2003\2008).

 

Omar Villa's picture

LocalSystem is enough, only have see Exchange and SQL to ask to change for this. why you need to change this?

Omar Villa

Netbackup Expert

Twiter: @omarvillaNBU

 

Marianne's picture

My question exactly.

The two technotes that you have posted are both for Java Console logging on to Windows master.

Why do you need to change the logon account? What does this statement mean? 

Dnd set them to the user under which the NetBackup Client service runs, but it did not help.

What did you or did not do? Did not help for what? Are you getting any error messages?

Why do you need to change Client Service logon account? Are you running a database or application such as Oracle, SQL, Exchange, SAP, etc on Windows?
If no database or application, why not simply leave NBU to run as LocalSystem?

We would really try to help, but it is not clear why you want to change the Client Service logon account.

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

sirin.zarin's picture

 

We would really try to help, but it is not clear why you want to change the Client Service logon account.
 
This requirement of the customer. I'm just trying to figure out whether you can do it.
Marianne's picture

You are the 'Accredited Partner'. You need to find out WHY. 

NBU runs fine under LocalSystem Account.

Only when databases or Apllications are being backed up does the Client service need to be changed. 
Details in the relevant Agent Guides.

Are you sure the need is for NBU Service accounts to be changed? Or do they need to manage NBU as non-Admin users?

Please find out exact requirement. 

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Will Restore's picture

I'm with Omar and Marianne.  Stick with LocalSystem.  Why would customer want otherwise? 

 

Will Restore -- where there is a Will there is a way

sirin.zarin's picture

I'm with Omar and Marianne.  Stick with LocalSystem.  Why would customer want otherwise? 

Current policies are required to run the service with the least privileges necessary for their proper operation. also not stack launch services with administrative privileges.
 
Of course there is taken into account that if it is possible.
Will Restore's picture

Of course you could start each service with a different account but that would be a maintenance and management nightmare.

 

See this writeup for example: http://stackoverflow.com/questions/510170/the-difference-between-the-local-system-account-and-the-network-service-acco

"It is always preferable from a security perspective to run as your own service account that has precisely the permissions you need to do what your service does and nothing else. However, the cost of this approach is setting up your service account, and managing the password. It's a balancing act that each application needs to manage."

 

Will Restore -- where there is a Will there is a way