Forum Discussion

ksdst1's avatar
ksdst1
Level 5
9 years ago

Change Owner of BEX Logon Accounts

I found the solution on a non-veritas site to reference a new SLA to a newly created logon account. "i figured it out. had to go into the change password wizard and then it let me change the username associated with the system logon account." Now I just need to know how to change the "Owner" for all accounts listed in MLA to the new account that SLA is associated with, as the current Owner account is the old SLA/retiring domain admin account. tnx...

  • You can do this through BEutility. Choose the option to change the service account.

    Thanks!

  • I wish it did change the Owner of the SLA and other accounts in the Logon Account Management but it seems to only change the account that services run under.  The Owner of all the account names is still the old account\user that was used when installing BEX.  Any other ideas?

    Tnx

  • ...not sure what you mean here. Post a screenshot.

  • I suspect you will have to create a new account in Backup Exec (using the same logon details for resources against the account). Then reset the jobs/resources to use that new account and then delete the old account - I am not aware that we have any facility to actually change an account owner.

    Now if the account owner is deleted (from Active Directory) with a Backup Exec account still set to that owner I am not sure what issues can occur - I suspect there may be more of an impact if you use restricted logon accounts than if you use common.

    Be aware that Backup Set Encryption keys also have owners so I hope that if you use Encryption keys you do have the passphrase details documented as such keys can definitely stop working if the owner no longer exists and will need recreating.

     

     

     

  • Tnx for the replies!  If I've read them correctly, it seems that we are unsure what effect there may be if the account Owner is a domain account that will cease to exist b/c the domain is collapsed.  Also, I have not deleted that account from the BE account list.  Although, if I understand things correctly with BE, that account really isn't tied to AD at all, but merely had been set up with the same "domain\acountname" and password to reflect the actual Domain account.  If this is true, then any adverse effects would depend on the inherent role of "Owner" to any given BE account.  What encompases the "Owner" role?

    tnx...   

  • OK there are 3 types of user names that form an account in BE.

     

    1) The name of the account in BE - this is just a text name that is a record of how it is held inside the BEDB and has nothing to do with AD itself and in fact does not even have to match whatever you use for point 2 below. (As an example this facility allows you to use 2 different root accounts that have different passwords as even though they are both root, you can give them different names in BE to separate them from each other and then use them with different jobs)

    2) The actual username and password of the account needed to do the backup task for the resources) This of course is usually an AD account but may be a local windows account (or Linux Account) depending on what you need to backup.  For the SLA and BESA accounts it is usually the same AD user, covering both, and also a Domain Admin. The detail of the configured AD (or local) users  are stored inside the BEDB and the used when we need to access the resources in the environment during jobs.

    3) The account owner - this is a record of the AD (or local Windows security SAM database ) account that was in use (to access the Windows Server Console and run the BE console) when the BE account was created. The owner is definitely used to handle the restricted account capabilities but may be used elsewhere in the background too. We do not do much testing of what happens when the owner is deleted from AD - hence it is difficult to say what you might experience.

     


     

     

  • After you change the accounts, you might have to remake all jobs. It happened to us after some account been deleted by mistake in active directory.

    After you will test all the credentials, and want to save, you will get the error (forgot the name exactly).