We run NetBackup 8.0 on a server at our site. For the Windows services 'NetBackup Client Service', 'NetBackup Remote Manager and Monitor Service' and 'NetBackup Web Management Console', we have them running under a local user account which is a local administrator on the server.
I am part of the IT team for the site. The central IT team have installed Local Administrator Password Solution (LAPS) on all servers recently, which means that the passwords for all local admin accounts get automatically changed by the software every 42 days, therefore of course the services fail.
Rather than simply uninstalling LAPS, I want to see if there is a better way. One way I thought to get around this is to use a local standard user (non-administrator) account instead, and just assign it the privileges needed to run the services correctly.
I followed the second post on this article... https://vox.veritas.com/t5/NetBackup/NetBackup-Service-Account-requirements/td-p/625893
I created a new standard local user, and I set the following permissions for the user in the local group policy editor, and rebooted...
- Act as part of the operating system
- Replace a process level token
- Logon as a service
- Create a token object
But unfortunately I couldn't start the service with the new user, so I've had to revert back to the local admin user for now.
Do you know what else I need to set to make sure that this standard local user can successfully run the services above?
No, this is exactly what I'm trying to avoid doing.
I know it works if you put it in the administrators groups, because that's what the current setup is.
What I'm asking is how to get this to work for a standard users by adding specific privileges.
There are two potential resolutions for this issue:
1. Modify the NetBackup Legacy Network Service so that the service starts using the Local System account
2. In the Local Security Policy on the host, for the account which the NetBackup Legacy Network Service starts with, provide the account these security permissions:
Drill into: Security Settings > Local Policies > User Rights Assignment
Run the following command to immediately enforce the updated security policy
Restart NetBackup services
My question was regarding the following three services...
'NetBackup Client Service'
'NetBackup Remote Manager and Monitor Service'
'NetBackup Web Management Console'
For the 'NetBackup Legacy Network Service', it is already running under the 'Local system' account and it is functioning correctly.
Can you run the service "NetBackup Client Service" and NetBackup Remote Manager and Monitor Service" as LOCAL SYSTEM (this is usually the default). If so this will work for those.
For the "NetBackup Web Management Console", this shouldn't be running with any admin privileges - so the account you created should be fine. However it is not as simply as just changing the user for this account. There are various additional steps required to set appropriate permissions within NetBackup. REfer to this article which describes how to do this:
Hope this helps
'NetBackup Client Service'
and 'NetBackup Remote Manager and Monitor Service'
run by default under LocalSystem account.
There are some circumstances where the services need to be changed, such as BasicDisk on a CIFS share.
What is your reason for changing these services?
davidmoline - Thanks for the article - that worked great.
Marianne - removing the local admin privilege from these remaining two services is my objective, to avoid the effects of LAPS as mentioned in my original post. I think you're right, I think there is a reason (CIFS storage with AdvancedDisk and BasicDisk storage units) why these two accounts are set to 'Administrator' rather than the Local System account. I've only just inherited this backup system from a colleague, and it's so long since he set this up originally he doesn't remember why it was needed for these two services to be running under a specific user account with dredentials rather than Local System.
Do you know how I can check whether this is still needed on my setup?
Also, the article you posted says...
The account must be the same account that the Windows operating system uses for read and write access to the CIFS share.
Configure the account and the credentials on the media server or media servers that have a file system mount on the CIFS storage. Then, configure Windows so that the two aforementioned services use that account.
Pardon my ignorance on this issue, but can you explain where do I look to see if there are any CIFS shares, and do I need to put the credentials of the new user in somewhere?
Since you have been referring to the Web Management Service, this server is I assume the master server.
The simplest way would be to determine if there are any CIFS shares attached to the server itself (in a Windows Explorer windows look for a drive letter that shows something like "Share (\\cifsserver) M:". If there are none, then you don't have to worry about using anything except LOCAL SYSTEM for the services (except the Web Management service).
If you do have something mounted via CIFS, you then need to determine if this is being used for NetBackup. And if this is for a disk pool (Advanced or Basic). The GUI can help if you can access this, or if not the "bpstulist -L" command and possible the "nbdevquery -listdv -stype AdvancedDisk -U" & "nbdevquery -listdp -stype AdvancedDisk -U".
It may require some poking around to make sure.
Indeed it is the master server.
OK I've checked Windows Explorer and the only two disks there are both Local Disk NTFS, therefore we should be OK with setting these to Local System. Perhaps there were CIFS shares in the past that have since been taken away.
Thanks I'll give that a go and come back if it breaks something.
Thanks everyone for your help.
Oh, you're right, in Storage Units there is one that has CIFS in its name and has a disk type of 'BasicDisk', and it has an UNC path.
I guess the next question is, how do I get these two services to run under my other non-admin user? When I tried this, I couldn't get the services to start.