09-12-2011 08:44 AM
I've installed a 60 day trial of BE 2010 R3 and everything seems to be working nicely, however to administer it I'd like to log in using the remote console.which I've installed on my laptop (win 7 Pro SP1 32 bit) This installs nice and works fine if I log on using the domain admin credentials so I know it's not a firewall issue. As soon as I log on as myself (a member of the backup operators group) I get access denied.
I cant seem to see a list of what security groups I neeed to be in to get access to the media server, I'm hoping that I dont need to be a domain admin as I'm after handing the job of day day running of the backup system to somebody else whom I'd rather weren't domain admins.
Any hints would be much appreciated
09-12-2011 09:22 AM
The account you connect with needs to be, at the minimum, a member of the Local Admin group on the media server. In reality, it should be a member of Domain Admins (so you have access to any other servers you may be managing/backing up).
Yes this is rather large security hole, but this is the way BackupExec has always worked.
09-12-2011 06:51 PM
BE does not have role-based logon ids. The BE logon account needs the necessary rights to backup things across the domain which is why you need to use a domain admin account to logon to BE and run jobs. For example, the backup operator would not be able to backup the system state of a DC which contains AD. A domain admin account is needed for this task.
09-13-2011 01:09 AM
It probably needs something like Remote Logon, Remote Access to DCOM components or one of the following requirements on top of Backup Operator in order to allow the remote admin console to work
"Log on as a servcie"
"Act as part of the Operating System"
"Create a Token Object"
"Manage Audfiting and Security Log"
That said you still need to be aware of PKH's answer abouth the System State backup requirements - although that should not affect use of the console as it is more of a requirement against the account doing the backups.
09-14-2011 06:13 AM
maybe you can add your account as power user, if still has access issue, you need to add your account to the domain admins/ or use the domain admin for access.
09-22-2011 06:08 AM
Thanks for the replies I will try the suggestions. Have been working offsite with clients for the last week so have only just seen the updates to the thread.
09-22-2011 06:20 AM
Just a thought
Our previous version of BE had the services running as domain admin and could thus access the servers correctly, however a backup user was able to access the management of the jobs to check if they had run correctly, schedule new jobs etc.
I agree that the services must run as domain admins, however I question that a user checking the status of jobs should be, they didn’t used to be.
All I'm wanting to do is check the backup without having to log onto the server itself. the old veritas backup exec would let us install the remote admin console and have a regular domain user (with backup operator access) check the backups on a daily basis.
Surely this user doesn't need domain/local admin rights on the server to do this?