07-07-2011 12:15 PM
Can it be explained why Backup Exec requires Domain Admin rights to backup Exchange 2007? What are the alternatives to this privileged level? What documentation supports this?
Can't Backup Exec backup Domain Controllers with simply built-in Backup Operator rights? If not, why? The continual need to add service accounts to elevated Admin rights is a security issue as well as an audit issue.
07-07-2011 01:18 PM
See this technote "What rights does the Backup Exec service account need":
http://www.symantec.com/business/support/index?page=content&id=TECH23689
07-08-2011 02:47 AM
Just for info some time ago I tested doing a complete Backup of a Domain controller with just Backup Operator Permissions and it failed against the VSS operation on the System State, basic research I did at the time showed that a VSS operation against System State components relating to domain controllers could nto be performed unless you had Domain Admin rights. As such you do need Domioan Admin on a DC anyway. This limitaion is not a Backup Exec Limitation as it is more of a VSS limitation.
I haven't specifically looked into the Exchnage permission you questioned but almost certainly something similar will apply.
You should also note that our permissions are often documented as generic requirements to achieve a Backup and a Restore - in some situations it might be possible to achive a backup with less permissions, however we do not document or specifically test for the differences as most BE customer swant an all-in-one set of security requirements.