Forum Discussion

gwyn's avatar
gwyn
Level 3
5 years ago

Minimum user account permissions needed to run NetBackup services

We run NetBackup 8.0 on a server at our site. For the Windows services 'NetBackup Client Service', 'NetBackup Remote Manager and Monitor Service' and 'NetBackup Web Management Console', we have them running under a local user account which is a local administrator on the server.

I am part of the IT team for the site. The central IT team have installed Local Administrator Password Solution (LAPS) on all servers recently, which means that the passwords for all local admin accounts get automatically changed by the software every 42 days, therefore of course the services fail.

Rather than simply uninstalling LAPS, I want to see if there is a better way. One way I thought to get around this is to use a local standard user (non-administrator) account instead, and just assign it the privileges needed to run the services correctly.

I followed the second post on this article... https://vox.veritas.com/t5/NetBackup/NetBackup-Service-Account-requirements/td-p/625893

I created a new standard local user, and I set the following permissions for the user in the local group policy editor, and rebooted...

- Act as part of the operating system
- Replace a process level token
- Logon as a service
- Create a token object

But unfortunately I couldn't start the service with the new user, so I've had to revert back to the local admin user for now.

Do you know what else I need to set to make sure that this standard local user can successfully run the services above?

Thanks.

  • Hi,

    have you tried to add this new user to administrators group?

     

    • gwyn's avatar
      gwyn
      Level 3

      Hi,

      No, this is exactly what I'm trying to avoid doing.

      I know it works if you put it in the administrators groups, because that's what the current setup is.

      What I'm asking is how to get this to work for a standard users by adding specific privileges.

      • Hamza_H's avatar
        Hamza_H
        Moderator

        There are two potential resolutions for this issue:

        1.  Modify the NetBackup Legacy Network Service so that the service starts using the Local System account

        OR

        2.  In the Local Security Policy on the host, for the account which the NetBackup Legacy Network Service starts with, provide the account these security permissions:

         

        Drill into: Security Settings > Local Policies > User Rights Assignment

        • Act as part of the operating system
        • Replace a process level token
        • Create a token object

         

        Run the following command to immediately enforce the updated security policy

        •   gpupdate /force

         

        Restart NetBackup services