cancel
Showing results for 
Search instead for 
Did you mean: 

Opening BE 9.1 Console on Domain Controller

Phill_Claxton
Level 2
I have Backup Exec 9.1 installed on a Domain Controller in my domain and I need IT staff to be able to maintain the backup jobs and the drive attached to the server. However I cannot give them Domain Admin rights, or make them a member of the Built-in Administrators or Backup Operators groups as this will let them access the other Domain Controllers in my organisation.

How can I set the permissions to allow them to maintain the system without adding them to these groups?
6 REPLIES 6

Ajit_Kulkarni
Level 6
Hello,


VERITAS recommends to give Backup Exec service account Domain Admin rights because this is the maximum right that may be given in a Domain environment which will be helpful in backing up all the servers in the domain. However, if this is not possible then the user should atleast be a part of backup operator group and should have local administrator rights of the systems being backed up.



http://support.veritas.com/docs/243033

Hope it answers your querry.

Regards.


NOTE : If we do not receive your reply within two business days, this post would be marked ‘assumed answered’ and would be moved to ‘answered questions’ pool.

Sheetal_Risbood
Level 6
As per our previous reply, marking the case as assumed answered and moving it to answered questions pool.

Phill_Claxton
Level 2
Thanks Ajit for the reply and sorry for taking so long to come back to you.

My Backup Exec service account is a domain admin however I need a user to be able to "maintain" the backup system by at least performing tape loading/unloading/erasing operations. However as the BE Server is a Domain Controller I cannot and do not want to make them a member of the Built-in Administrators or Backup Operators groups. Is there a way or what permissions do I need to give this person to open the BE Console. At present the only way I have been able to do this is to add them to Backup Operators however this affects all Domain Controllers in our organisation (approx 20) which is a security risk.

Any help would be much appreciated.

Thanks,

Phill

Renuka_-
Level 6
Hello,

If the account has administrator rights on the resource being backed up, absence of the backup operator membership does not make a difference.It is in fact recommended not to add the nackup exec account to the backup operators group.

Domain Administrator rights should be sufficient to backup all resources in that domain

For details on the rights required to backup a resource please check out this document

Title : How to configure Windows NT and Windows 2000 security to enable the Backup Exec service account to protect data in a domain network environment

http://support.veritas.com/docs/236744

NOTE : If we do not receive your reply within two business days, this post would be marked assumed answeredand would be moved toanswered questions pool.

Phill_Claxton
Level 2
I am not sure you have understood the question. Maybe I am not explaining the situation correctly.

The Veritas Backup Exec service account does have Domain Admin rights and this is working fine. What I need is another user account that is not a Local Administrator or Backup Operator to manage the Veritas system. Is this possible? I have tried using "User Rights Assignment" and setting NTFS permissions on the folders but they still cannot open the Veritas Console.

Thanks

Ajit_Kulkarni
Level 6
Hello,

As mentioned by you in your reply on 31st May, "My Backup Exec service account is a domain admin however I need a user to be able to "maintain" the backup system by at least performing tape loading/unloading/erasing operations".

If it is so then the user you wish to use, give it Domain User rights. Please refer to the following technote to create a new user:

How to change the user name or password of the VERITAS Backup Exec Services Account in VERITAS Backup Exec (tm) 9.x for Windows Servers
http://support.veritas.com/docs/254246

Regards

NOTE : If we do not receive your reply within two business days, this post would be marked "assumed answered" and would be moved to "answered questions" pool.