Highlighted

BEX 2012 SLA Account Scope

I have a previous answered post but still need to address the process of migrating to the new service account (hopefully domain admin) from the old default, SLA, BES and Owner, domain admin account.  (Prev Post: If I understand the various BEX support articles, I will need to add this new account using Logon Account Management, set it as the default user, then change the ownership to itself, and then set it as the SLA for the BE services, restart and viola. Is this the most prudent order and procedure?)

I could also use some clarification about BEX account roles.  We are migrating to an Enterprise Domain and thus I'm loosing my default, SLA, BES, owner, domain admin service account, and thus the need for the above request to add a new account.  Enterprise Security will create a domain admin service account, but will want to manage the account instead of me.  They would need to access the BEX server remotely and create the new acocunt (without giving me the login password) and configure BEX with my guidance.

To prepare for this, I'd like to know what “installation and setup”steps they will need to perform which would require the new account login creds of the new service account, eg. during the initial creation and migration to the new service account (i'm taking into considering that the password will need to be manually set within BEX and be the same as the non-changing domain password for the account)?

Does “setup” also mean creating/modifying or creating new or existing backup jobs?  How about restore processes? 

Basically, I’d like to know if I would be able to use BEX as I do now, without having to log into the BEX server with, or knowing the login credentials of the new (default, SLA, BES, owner) domain admin service account, after migrating to this new account within BEX.

Is it a workable scenario where I could use my OU service account account as a "secondary" BEX account to be the account I access BEX to run, modify, create new backup jobs and restore jobs as well as those that were created using the old default, SLA, BES, owner, domain admin service account?

Again, tnx in advance!!

1 Solution

Accepted Solutions
Highlighted
Accepted Solution!

Re: BEX 2012 SLA Account Scope

If you have an admin account you can log onto the server and then open up BE. THere are no role-based authorizations within BE. It's been asked for...for years, but hasn't ben addressed.

So 1 account essentially to get onto the server and run the services, but an Admin (local or domain) that can get onto the box can essentially access the software.

Thanks!

View solution in original post

6 Replies
Highlighted

Re: BEX 2012 SLA Account Scope

As long as the BESA (Backup Exec Service Account) has the correct permissions to any applications, there is nothing else to do on that front within BE or connecting to servers. Read the TN below on how to make sure you have the correct permissions:

https://www.veritas.com/support/en_US/article.000007290

A much simpler means to change the BESA account details is to open up beutility.exe, right-click the server name and choose the option to change the deault account. Put in the details of the new account, and beutility.exe will restart the services after making the necessary changes.

Thanks!

Highlighted

The BESA and BE SLA account

The BESA and BE SLA account should be the same account, so after following CraigVs beutility sugestion you will also have to do the changes you mention inside the Logon Accounts section of Backup Exec itself

And if you have any specific recource (job specific)  accounts these may also have to be configured / adjusted .

 

With regards you administering the server going forwards as we don't have a Role Based Admin Concept and therefore don't do official testing with admins that have limited permissions I don't think we can fully confirm what issues you may have (either during day to day activity or for different types of restores) - as such I hope you have this security team on a 'bat phone' for quick help if it goes wrong as if you have to ring us we will expect you to have enough  access to help us troubleshoot.

 

Also if your security team have an overall  responsbility to ensure security good practice then you need to get off Backup Exec 2012 (which is in EOL cycle and not subject to patches etc) and get to BE 15 - which has an enhancement to encrypt the BEDB content and access.

 

 

Highlighted

Re: BEX 2012 SLA Account Scope

Tnx both for the replies and I understand the situation is not tested or ideal.

If security initially sets up as if they were me, the new BESA and BE SLA accounts, etc with a domain admin account (that i don't know the passowrd), can I set and use another domain account as default to create, modify, run jobs and restores?  This assumes that the BESA/BE SLA account credentials never change.

Tnx... 

Highlighted

Re: BEX 2012 SLA Account Scope

You might want to read my article below on using the BE Remote Console...

https://www.veritas.com/community/articles/how-leverage-backup-execs-remote-console

Thanks!

Highlighted

Re: BEX 2012 SLA Account Scope

Hi Craig.  I will do that when I get some time but can you tell me if it addresses/answers my previous question?  If not, perhaps one of you can answer it as it may be my only option.

Tnx...

"If security initially sets up as if they were me, the new BESA and BE SLA accounts, etc with a domain admin account (that i don't know the passowrd), can I set and use another domain account as default to create, modify, run jobs and restores?  This assumes that the BESA/BE SLA account credentials never change."

 

Highlighted
Accepted Solution!

Re: BEX 2012 SLA Account Scope

If you have an admin account you can log onto the server and then open up BE. THere are no role-based authorizations within BE. It's been asked for...for years, but hasn't ben addressed.

So 1 account essentially to get onto the server and run the services, but an Admin (local or domain) that can get onto the box can essentially access the software.

Thanks!

View solution in original post