I've installed a 60 day trial of BE 2010 R3 and everything seems to be working nicely, however to administer it I'd like to log in using the remote console.which I've installed on my laptop (win 7 Pro SP1 32 bit) This installs nice and works fine if I log on using the domain admin credentials so I know it's not a firewall issue. As soon as I log on as myself (a member of the backup operators group) I get access denied.
I cant seem to see a list of what security groups I neeed to be in to get access to the media server, I'm hoping that I dont need to be a domain admin as I'm after handing the job of day day running of the backup system to somebody else whom I'd rather weren't domain admins.
Any hints would be much appreciated
The account you connect with needs to be, at the minimum, a member of the Local Admin group on the media server. In reality, it should be a member of Domain Admins (so you have access to any other servers you may be managing/backing up).
Yes this is rather large security hole, but this is the way BackupExec has always worked.
BE does not have role-based logon ids. The BE logon account needs the necessary rights to backup things across the domain which is why you need to use a domain admin account to logon to BE and run jobs. For example, the backup operator would not be able to backup the system state of a DC which contains AD. A domain admin account is needed for this task.
It probably needs something like Remote Logon, Remote Access to DCOM components or one of the following requirements on top of Backup Operator in order to allow the remote admin console to work
"Log on as a servcie"
"Act as part of the Operating System"
"Create a Token Object"
"Manage Audfiting and Security Log"
That said you still need to be aware of PKH's answer abouth the System State backup requirements - although that should not affect use of the console as it is more of a requirement against the account doing the backups.
Just a thought
Our previous version of BE had the services running as domain admin and could thus access the servers correctly, however a backup user was able to access the management of the jobs to check if they had run correctly, schedule new jobs etc.
I agree that the services must run as domain admins, however I question that a user checking the status of jobs should be, they didn’t used to be.
All I'm wanting to do is check the backup without having to log onto the server itself. the old veritas backup exec would let us install the remote admin console and have a regular domain user (with backup operator access) check the backups on a daily basis.
Surely this user doesn't need domain/local admin rights on the server to do this?