cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

BEX2012 (New) Account Managment

Go to solution
ksdst1
Level 5

‎01-22-2016 12:44 PM

We are migrating our current Dept. domain into a larger enterprise domain and thus the current domain admin account will not exist when the domain is collapsed and the backup exec 2012 server is migrated to the new enterprise domain.  This current domain admin account is set as the default, SLA, BES and Owner account.

I will manage our Department’s OU in the new domain, and have a “service user account” in the new domain that will be added, through group policy, as a local administrator to all computers/servers added to our OU, although it will not be a member of the domain administrators group. 

I will need to use this service user account in place of the current domain admin account as the default, SLA, BES and Owner account. 

If I understand the various BEX support articles, I will need to add this new account using Logon Account Management, set it as the default user, then change the ownership to itself, and then set it as the SLA for the BE services, restart and viola.      

Is this the most prudent order and procedure?  Is there a problem that the new service user account will not be a domain admin account, but instead be a member of the local admin group of all computers and servers (including the BEX server that is also the files server it backup)? 

This account’s password has a three month change policy.  I assume I would have to change the SLA password to match the domain password (would this be a case for using a local server admin account as the default, SLA, BES and Owner account)?  Are there other unforeseen issues that may arise (BTW, I have not encryption keys and no remote servers).

Tnx in advance!!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎01-25-2016 03:00 AM

Backup Exec does not currently have a role based admin configuration option so you may have issues with security limitations that we have never tested against.

Whilst it is recomended to use a sepaate service account for BE it will need to be a domain admin (primarily to Backup DC's but there are other reasons usually linked with DB technologies or components with the System State and Shadowp Copy areas) - OK these might not apply to you but you might only find the limitations by testing backups and restores. It is possible that anything to do with OU inheritance/heirarchy might cause issues if the security access we need is limited to your OU - we almost certainly do not test with this kind of security split so if you do experience issues you may have to prove that full secuity access works and then change one security restriction at a time to restrict your security.

It also is recommended that that account is not set to require regular password changes because it can be complicated to change all the locations that use the password and you are likely to lockout the backup account (causing backup job failures) at an innappropriate moment. Note such accounts should rarely need to be logged into by an admin (other than during initial installation and setup) so the security risk of someone else learning the password should be minimal.

 

 

 

 

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎01-22-2016 05:26 PM

I don't think your new account will work if it is not a domain admin.  See the document below for the rights requirements of the BESA

http://www.veritas.com/docs/000028683

0 Kudos

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎01-25-2016 03:00 AM

Backup Exec does not currently have a role based admin configuration option so you may have issues with security limitations that we have never tested against.

Whilst it is recomended to use a sepaate service account for BE it will need to be a domain admin (primarily to Backup DC's but there are other reasons usually linked with DB technologies or components with the System State and Shadowp Copy areas) - OK these might not apply to you but you might only find the limitations by testing backups and restores. It is possible that anything to do with OU inheritance/heirarchy might cause issues if the security access we need is limited to your OU - we almost certainly do not test with this kind of security split so if you do experience issues you may have to prove that full secuity access works and then change one security restriction at a time to restrict your security.

It also is recommended that that account is not set to require regular password changes because it can be complicated to change all the locations that use the password and you are likely to lockout the backup account (causing backup job failures) at an innappropriate moment. Note such accounts should rarely need to be logged into by an admin (other than during initial installation and setup) so the security risk of someone else learning the password should be minimal.

 

 

 

 

0 Kudos

Go to solution
ksdst1
Level 5

‎01-25-2016 09:33 AM

Thank you both for the responses!  I'm affraid this is becoming complicated!  I will have to discuss with Enterprise Security about them creating a unique service account that is part of the domain admin group.  

I still need to address the process of migrating to the new service account (hopefully domain admin) from the old default, SLA, BES and Owner, domain admin account.  (Prev Post: If I understand the various BEX support articles, I will need to add this new account using Logon Account Management, set it as the default user, then change the ownership to itself, and then set it as the SLA for the BE services, restart and viola. Is this the most prudent order and procedure?)

Colin, I could use some clarification about BEX account roles.  You mention that "such accounts should rarely need to be logged into by an admin (other than during initial installation and setup)".  I’m considering the event that Enterprise Security agrees to add the new service account to the domain admin group, but does not want to offer me the log on credentials.  They may require to log into the server remotely during the migration to the new service account, to enter the account credentials when prompted.

Can you please explain what “installation and setup” actions may need to be performed which would require the knowledge of the new service account’s login credentials, eg. during the initial creation and migration to the new service account (this is considering that the manual password I’d initially need to set within BEX for this account would need to be the same as the set domain password for the account)?

Does “setup” also mean creating/modifying or creating new or existing backup jobs?  How about restore processes?  

Basically, I’d like to know if I would be able to use BEX as I do now, without having to log into the BEX server with, or knowing the login credentials of the new (default, SLA, BES, owner) domain admin service account, after migrating to this new account within BEX.

Is it a workable scenario where I could use my OU service account account as a "secondary" BEX account to be the account I access BEX to run, modify, create new backup jobs and restore jobs as well as those that were created using the old default, SLA, BES, owner, domain admin service account?

Again, tnx in advance!!

0 Kudos