cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

AD Service Account

Revolver
Level 3

‎12-11-2009 03:34 AM

Hello all!

Currently I run the BackupExec job under a Domain Administrator Service Account, recently this was compromised as this is a shared account so several people can make changes to the job without causing issues with permissions. However this account can log on everywhere and has modify permissions to accounts shares, etc.

My question is:

Is it possible to set up a service account which BackupExec can use to access all the folders needed and keep the backups running, but prevent anyone using it to log on anywhere, and use it as a domain admin account?

The issue is that when someone from creative logged in to add/remove files from the backup job, it would then use their credentials and then be unable to backup anything from the accounts share. Ideally I want an account that everyone has the password for, so can make the necessary changes without affecting the security permissions of the job, but also not be able to use the account to log in and start destroying company files.

Any help would be appreciated.

Thanks,
Jon
0 Kudos
5 REPLIES 5

CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎12-11-2009 04:34 AM

Hi John,

#1. Look at creating a new service account and assigning it the required permissions in AD to function properly in BEWS.
Once done, open up BEWS, and then going to Network...and create that same account in there. Problem 1 solved...a more secure service account running your backups.

#2 would be to create a normal user account (call it anything you want, ie. svcbackup) in AD, and don't assign it Admin rights of any kind.
Open up the Local Users and Groups on that server, and add the new account in #2 to Backup Operators group. Once done, open up Backup Exec and add that user account as a new account.
Once done, install the Backup Exec Remote Console on each person who needs to manage the backups. This prevents local logons to that server, and secure your environment a bit more.

You can read up more on #2 on the link to the article I wrote below:

https://www-secure.symantec.com/connect/articles/how-leverage-backup-execs-remote-console

They will be able to make changes to the backups, but nothing further on network shares.

Laters!
0 Kudos

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎12-11-2009 05:12 AM

For info users that are ONLY members of BackupOperators groups cannot always access components that are protected using VSS (such as System State, Shadow Copy Components etc) You usually have to at least be a full local administrator for this (and a Domain admin if the system in question is a domain controller.
0 Kudos

Revolver
Level 3

‎12-11-2009 06:10 AM

Thanks guys,

It is a domain controller, and it is necessary to back up the System State. I will have a look into the info provided and see what I can do.

Thanks


0 Kudos

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎12-11-2009 06:46 AM

Thsi does not necessari8ly mean the console user has to be a domain admin - just means the credentials in the backup selections do - you might be able to get away with the console user just being a Backup Operator - is worth testing this in your environment.
0 Kudos

CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎12-18-2009 05:50 AM

Hey dude,

Any news here?

Laters!
0 Kudos