08-20-2012 12:10 PM
It seems simple enough: I'd like to run a PowerShell script as a post job command. The script does what it should, but when I make it a post job command, Backup Exec refuses to run it, with the following message in the job history:
Error: Could not start Post Job Command < C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -noninteractive -file "blah.ps1" -test >. Error (1314): A required privilege is not held by the client.
I've searched around and found various suggestions in Symantec support and Technet, none of which seem to make a difference. I'm backing up a user defined share because there's no way to put a remote agent on the remote server. This also means the media server's remote agent service has to run as a domain user to connect.
The post job command is configured to run on the backup exec media server. The system logon account is a domain user, and all of the sevices run as te same account on the media server.
I'm not seeing any failure messages in the security log in Windows Event viewer, and the server is configured to audit all such failures.
Solved! Go to Solution.
08-20-2012 04:01 PM
08-20-2012 04:01 PM
08-20-2012 07:57 PM
I'm backing up a user defined share because there's no way to put a remote agent on the remote server.
I don't understand.
1) what OS is the remote server running that you cannot put a remote agent on it? It is a NAS?
2) What version of BE are you running?
3) What is your Powershell script doing?
4) If you are using your script to backup the share, why can't you backup the share in BE using its FQDN.
5) Can you run the Powershell script when you are logged on as the BESA?
08-21-2012 12:27 AM
Have you looked at this KB - http://www.symantec.com/business/support/index?page=content&id=TECH70754
08-21-2012 12:31 AM
Hi
I have already mention it quiet before, to run remote agent service using local system account.
Thanks
08-21-2012 12:36 AM
Yes, I did see that, however I intended to point out the KB article (the OP had mentioned he had looked at several posts/articles, was just checking if he checked Symwise as well or not)..
08-21-2012 12:40 AM
Hi
Fine ,got your point too
Thanks
08-21-2012 06:24 AM
1) It's a NAS (EMC VNXe). The granular access to the backup gained from backing up as a user defined share trumps the speed benefits of NDMP.
2) 2012 but it also hapened in 2010 R3
3) The script deletes the contents of the shared folder it just backed up (no agent, so no backup and delete jobs), taking care not to delete things that would corrupt the shared folder if they were deleted.
4) N/A. I'm content to let Backup Exec do the backing up.
5) Yes, it works perfectly. A Technet article suggested editing local security policy to allow the BESA to "log on as part of the operating system"
08-21-2012 06:33 AM
Yes, I saw that, but the script isn't for controlling Backup Exec. I thought maybe changing the execution policy for CurrentUser would solve the problem but it didn't.
08-22-2012 12:18 AM
@spencer - How about trying to run this simple script as a post-command?
import-module "\program files\symantec\backup exec\modules\bemcli\bemcli"
get-bejobhistory -fromlastjobrun -jobtype backup > C:\ps-output.txt
08-24-2012 05:21 AM
Exactly the same error. The system doesn't want to let the Remote Agent run powershell at all, never mind what's in the script.
08-24-2012 06:17 AM
I'm floored. This turns out to be an answer. Sort of. It's impossible to accept such a categorical reply without some explanation.
Since pkh's mini-script had the same problem as mine, I decided to try changing the remote agent over to Local System Accont. All the other services run as the domain account.
My test job backs up one file on the NAS device and runs the script. Not only did it run the script, it backed up and verified the file. A point restore job successfully restored the file.
What's the real reason that using Local System Account for the remote agent works? If you're backing up a user defined share without the a remote agent on the other machine, the remote agent on the media server isn't actually used for backing up. Even when the job log says "The Backup Exec server will use the local agent to try to complete the operation." All the remote agent appears to do is run the post-command.
Why doesn't the agent run the script when it's run as the domain user? My guess is that the login session needs elevation in order to run powershell. There may be setings and tweakings I can do to get the domain user to run with elevation by default, but it seems to work.
Of course, my script deletes files stored on the NAS device. And it's running as the local system account. I did an Effective Permissions for the media server's computer account on the shared folder and it appears to have the file system permissions to delete files.
We'll know for sure when the scheduled job runs this evening.
08-24-2012 07:23 AM
To verify this bit:
> the remote agent on the media server isn't actually used for backing up.
I successfully backed up and restored a file that the media server's local system account decidedly did *not* have access to. I'm not sure which of the services is backing up the files, but it's not the media server's remote agent.
08-24-2012 08:48 AM
I just tested that script
Had a .BAT file containing
powershell.exe C:\LastJob.ps1
and inside LastJob.ps1 I had
import-module "D\program files\symantec\backup exec\modules\bemcli\bemcli"
get-bejobhistory -fromlastjobrun -jobtype backup > C:\ps-output.txt
The post command contained the batch file and it was set to run on the media server itself (default is run on remote and will fail if you do not change this as your command is media server specific)
It worked with no issue.
My beremote service is set to local system as such the security context would have been the System Logon account defined inside BE. Although as I backed up local resoruces on the media server it is possible that the security context might be the account used to access the remote system in the Backuop job configs for your environment.
As such what you probably need to do is login to the Windows/Operating System console of the media server using whatever account is the System Logon and then start the powershell based BE Management Command Line Interface and check that it starts and that you can run your get-xxx command without error.
08-24-2012 10:26 AM
Please explain this:
> My beremote service is set to local system as such the security context would have been the System Logon account defined inside BE.
The local system account is called NT AUTHORITY\SYSTEM locally and the Active Directory computer account DOMAIN\SERVER$ from other computers in the domain.
The System Logon account has completely different credentials, e.g. a domain user such as DOMAIN\BKUPEXEC
They're two different things. Does the remote agent impersonate the System Logon credentials during the backup?
08-25-2012 06:34 PM
Not being able to run Powershell scripts is an interesting side-effect of not using the LSA to start up the BE remote agent service. By default, the BE remote agent service uses the LSA on all servers, media as well as remote servers.
08-28-2012 03:45 AM
The bremote agent runs as local system in terms of the services but to access data for the backup the account name specified in the backup job properties is used and would be DOMAIN\user
Also please bear in mind when I refered to System Logon Account earlier, I meant the account defined as "System Logon Account" inside of Backup Exec - I was not referring to the Microsoft/Operating system use of the same term, This account will also use a DOMAIN\user account.