backup exec user rights assignment

• Data Protection
• Availability
• Community Insights
• Technical Blogs
• Backup Exec

Backupexec system rights needed

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content

‎04-24-2014 07:13 AM

Solved! Go to Solution.

• Agent for VMware Virtual Infrastructure
• Backup and Recovery
• Backup Exec Appliances
• Backup Exec Infrastructure Manager
• Configuring
• Deduplication Option
• Virtualization
• Windows Server (2003-2008)
• All forum topics
• Previous Topic

‎04-24-2014 07:20 AM

View solution in original post

‎04-24-2014 07:34 AM

‎04-24-2014 08:19 AM

‎04-24-2014 12:50 PM

‎05-05-2014 05:31 AM

‎05-05-2014 05:35 AM

never-displayed

• NetBackup doesn't need ip of CoFC-storeonce or DFC-datadomain . Is it right ? Or not ? in NetBackup 02-23-2024
• Need help for Exchange server 2019 Databases backup through Netbackup or Backupexec in Backup Exec 06-14-2023
• Setup of malware scanning in Netbackup 10 in NetBackup 05-30-2022
• Unexpected reboots starting after upgrade to Backup Exec 21.2 in Backup Exec 10-05-2021
• Write Protection in Backup Exec 11-09-2020

• Privacy Policy
• Terms & Conditions

Requirements for BESA. Really?

Just minding your own business and before you know it those backups are failing!

Some issues that may occur if BESA does not have the required rights: • Backups or Restores are failing • Log on Account Errors • In the backup selections “Enable Trust relation" keeps displaying • During an install of Backup Exec for Windows Servers when entering the service account information the error "Unable to authenticate with the user and password information given for \User name " appears . • On system boot, the Backup Exec Device and Media Service fails to start automatically and generates Event ID 7041

All of the Backup Exec services (except the Backup Exec Remote Agent) run under a user account which the Backup Exec system services use. When a user account is configured for the Backup Exec services to use it is known as the BESA (Backup Exec Service Account).

During the Backup Exec install the Backup Exec service Account (BESA) and the Backup Exec system logon account are both configured to use the same user name. If you change the user name for the service account, then you should also change the Backup Exec system logon account and make sure it is using the appropriate credentials.

In group policy the following User Rights need to be associated with the Backup Exec User Account • Act as part of the operating system • Backup files and directories • Create a token object • Log on as a batch job Log on as a service • Manage auditing and security log (BE 2010 R3 and later) • Restore files and directories • Take ownership of files and other objects

Step 1: How to get those User Rights Assignments looking good?

If the User Rights Assignments need to be changed on a local machine: Go to Start, click Control Panel, click Administrative Tools, click Local Security Policy then under Security Settings, expand the Local Policies and Select User Rights Assignment. To Change the User Rights on the Domain Controller: Go to the Administrative Tools, click on the Domain Controller Security Policy , expand the Local Policies and Select User Rights Assignment. In the pane on the right side select the Policy that needs to be changed or checked for the Backup Exec Service Account

Step 2: User Rights finishing touches.

Also make sure the account is not added under: Deny logon as a service Deny logon as a batch

After making changes run "gpupdate” to refresh local and Active Directory-based Group Policy settings, including security settings.

NOTE: The service account also needs to be a member of • Domain Admins (Recommended) or Administrators • Backup Operators

Step 3: Backup Exec Account password

Important: In Active Directory the Backup Exec Account password needs to match the password for the Backup Exec System Logon Account.

Step 4: Dont forget the Backup Exec Service Account (BESA)

Make sure that in the Backup Exec console the System Logon is set in “Domain\Username” format

Thanks for sharing!

Thanks for your help, clear and schematic.

Related Topics

• Stack Overflow Public questions & answers
• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Talent Build your employer brand
• Advertising Reach developers & technologists worldwide
• Labs The future of collective knowledge sharing
• About the company

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How to assign user rights to a local user account through powershell?

I want to modify the user rights associated with a local user account.I want to add groups and users to a particular User Rights. This is done by opening the group policy and opening the following folder in the console tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Then click on the required user Right and add the user or group to it.

Is it possible to do the same through powershell scripts?

4 Answers 4

What I would do is open SecPol.msc, make your modifications via the GUI to a baseline computer and export an .inf template for installation via powershell.

The template can be installed with secedit.exe. If you want, you can open the inf file in a text editor and scroll until you see the [Privilege Rights] section. Here is one for example.

Run this command and reboot. Edit .inf and .db names as appropriate.

Found a third party command line solution. ntwrongs.exe

http://forums.mydigitallife.info/threads/57557-NTWrongs%99

Here is a purely powershell method - https://stackoverflow.com/a/26393118

To build upon @Knuckle-Dragger's answer:

I couldn't add my user to the secreatesymboliclinkprivilege setting ( Computer Configuration > Windows Settings > Security Settings > Local Policies > ** User Rights Assignment** > Create symbolic links ), always with the error "The specified domain either does not exist or could not be contacted", and it worked with his method, for my DOMAIN\user account from the whoami output:

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged windows powershell or ask your own question .

• The Overflow Blog
• Introducing Staging Ground: The private space to get feedback on questions...
• How to prevent your new chatbot from giving away company secrets
• Featured on Meta
• The [tax] tag is being burninated
• The return of Staging Ground to Stack Overflow
• The 2024 Developer Survey Is Live
• Policy: Generative AI (e.g., ChatGPT) is banned

Hot Network Questions

• A phrase that means you are indifferent towards the things you are familiar with?
• Are your memories part of you?
• Linearity of differential forms
• How is this function's assembly implementing the conditional?
• Moving after copying in assignment of conditional operator result
• Fiber product of schemes and tensor calculations
• My vehicle shut off in traffic and will not turn on
• Accumulated charge in conductors
• NES Emulator in C
• What should I get paid for if I can't work due to circumstances outside of my control?
• A man is kidnapped by his future descendants and isolated his whole life to prevent a bad thing; they accidentally undo their own births
• Integrating slower growing functions to find a faster growing function
• Python matrix class
• Dispute cancellation fees by 3rd-party airline booking
• How to remind myself of important matters in the heat of running the game?
• What's the maximum amount of material that a puzzle with unique solution can have?
• Book recommendation introduction to model theory
• Romans 3:22 – ‘of’ or ‘in’? Old translations differ from modern ones. Why?
• How often does systemd journal collect/read logs from sources
• Is it rational for heterosexuals to be proud that they were born heterosexual?
• Visual Studio Code crashes with [...ERROR:process_memory_range.cc(75)] read out of range
• What legal reason, if any, does my bank have to know if I am a dual citizen of the US?
• Matter currents
• Which program is used in this shot of the movie "The Wrong Woman"

TechRepublic

TechRepublic | Forums | Networks

• Register Now or SIGN IN to post
• Recent Activity
• Creator Topic

Group Policy – User Rights Assignment

by locolobo · about 16 years, 11 months ago

I have a small network with Win 2003 Servers. One of them runs BackupExec. It is a stand-alone server. Apparently I can’t perform windows updates on this server. Googling the problem showed that my administrator doesn’t have the rights to

1. Back up files and directories 2. Restore files and directories 3. Manage auditing and security log

Under Group Policy – Local Security Settings – Local Policies – User Rights Assignment I can find these rights, but when I open them up the “Add Users or Groups” button is grayed out. I have tried this from the stand-alone server and from the DC (using Group Policy Manager) without any luck. The sole user who has these rights is “veritas”, the user set up for Backup Exec. I vaguely remember giving him the rights but don’t remember taking them away from the administrator although I must have. Does anybody know where to go to actually edit these rights?

All Answers

• Author Replies

Clarifications

In reply to Group Policy – User Rights Assignment

DOH! Nevermind, I figured it out!

In the Group Policy Management Console go to Default Domain Policy and right click in the right pane and choose Edit.

That opens up the ‘Group Policy Object Editor’! From there it works. Alright I admit it, I’m slow. 🙂

Sorry about that.

Create a TechRepublic Account

Get the web's best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let's start with the basics.

* - indicates required fields

Sign in to TechRepublic

Lost your password? Request a new password

Reset Password

Please enter your email adress. You will receive an email message with instructions on how to reset your password.

Check your email for a password reset link. If you didn't receive an email don't forgot to check your spam folder, otherwise contact support .

Welcome. Tell us a little bit about you.

This will help us provide you with customized content.

Want to receive more TechRepublic news?

You're all set.

Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add [email protected] to your contacts list.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

• 1 contributor
• Windows 10

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local device by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see Configure security policy settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Related topics

• Security policy settings reference

Additional resources

404 Not found

• NIST 800-53
• Common Controls Hub

The Back up files and directories user right must only be assigned to the Administrators group.

• IT Administration Forum
• PowerShell Forum
• Community Forum
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – 30 Days
• Author Leaderboard – 365 Days
• Cloud Computing
• Write for 4sysops
• User rights assignment in Windows Server 2016

4sysops - The online community for SysAdmins and DevOps

Built-in local security principals and groups

Center for internet security, local policies/user rights assignment.

• Recent Posts

• KeePassXC: A free cross-platform password manager - Wed, Jun 5 2024
• Improve Windows performance with Microsoft PC Manager - Mon, Apr 8 2024
• Verify digital file signature with SigCheck - Mon, Mar 4 2024

Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:

• Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.
• Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state.

As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:

• Domain Controllers (DC)
• Member Servers (MS)
• User Workstations

Configuring user rights assignment via Goup Policy

If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.

It is a best practice to configure security policies using only built-in local security principals and groups, and add needed members to these entities. This gives you much better visibility and flexibility, as GPO provides more options to manage local group members, than to manage security policy members. For example, it's not possible to add a group whose name is generated using system variables (e.g., LAB\LocalAdmins_%COMPUTERNAME%) to a security policy; however, the group can be added to the Administrators group itself.

Security policies do not support generated group names

• Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group.
• Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account.
• Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement).
• Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP).
• Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today.

The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:

• CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks.
• CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more.

Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.

Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.

CIS Benchmarks example

User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.

For each setting, the following format is used:

Name of the setting: Recommended value, or values

Access Credential Manager as a trusted caller: No one (empty value)

Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.

Access this computer from the network: Administrators, Authenticated Users

Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.

Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.

Allow log on locally: Administrators

The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.

Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users

It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.

Note: On the DC, it is recommended to allow only administrators to connect via RDP.

Back up files and directories: Administrators

This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.

Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests

The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.

Force shutdown from a remote system/Shut down the system: Administrators

Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.

Manage auditing and security log: Administrators

This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.

Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.

Restore files and directories: Administrators

Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.

Take ownership of files or other objects: Administrators

User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.

Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests

To increase security, you should include the Guests group in these three settings.

Debug programs/Profile single process/Profile system performance: Administrators

This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.

Change the system time: Administrators, Local Service

Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.

Create a token object: No one (empty value)

Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.

Impersonate a client after authentication: Administrators, Local Service, Network Service, Service

An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.

Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.

Load and unload device drivers: Administrators

Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.

I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.

IT Administration News

• Code security configurations can now be enforced – The GitHub Blog
• PHP fixes critical RCE flaw impacting all versions for Windows
• Configuration Manager technical preview version 2405 – Microsoft Community Hub
• Apple to launch a new Passwords app at WWDC 2024, states report – Neowin
• Microsoft Research chief scientist has no issue with Recall The Register

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

• Windows Server security features and best practices
• Security options in Windows Server 2016: Accounts and UAC
• Security options in Windows Server 2016: Network security

Enable Microsoft Entra ID passkey authentication

KeePassXC: A free cross-platform password manager

Configuring external authentication methods in Microsoft 365 with Microsoft Entra ID

Integrate Microsoft Graph activity logs for Microsoft 365 with Azure Monitor

Disable Basic Authentication for SMTP AUTH in Exchange Online

Rotate BitLocker recovery passwords, delete used keys from Active Directory

Delegate permission to unlock Active Directory accounts

Partition Windows drive in WinPE using PowerShell

Allow end users to execute code on the Windows logon screen with administrator privileges

New mitigations for CVE-2023-24932 (BlackLotus) in the April update, not yet enabled by default

Combining password policies for Active Directory and Entra ID (Azure AD)

Create, use, and manage Windows Passkeys

Improve Windows performance with Microsoft PC Manager

Encrypt and decrypt with Ansible Vault

Critical alert: SSH and XZ vulnerability (CVE-2024-3094) – Testing and remediation

Forgot BitLocker PIN: recover encrypted drive

Privacy settings in Microsoft Edge: disable tab grouping, follow creators, similar sites, and shopping recommendations

Convert certificate format with OpenSSL

Verify digital file signature with SigCheck

Sudo for Windows vs. Runas and Sudo for Linux

Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.

Gave that account local admin access on the broker servers and then was able to get further.

Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.

Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.

I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.

I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.

Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

SqlBak Blog

SQL Server Backup Permissions

We will also explain what are some of the most advanced options for backing up databases and how you can give these privileges as well to some of your most trusted users.

In this article we will talk about the minimum required permissions in order for users to take database backups of SQL Server databases as well as more extensive permissions which give access to more important tools and commands.

Minimum backup permissions

If you want to create a user and give him minimum permissions in order to just backup the database, without being able to read or modify the data in the database, here is how you have to configure this user.

When setting the Login Properties for the user make sure that in the Server Roles section, “public” is checked (it should be automatically).

In the User Mapping menu section which gives you access to the Database Level permissions , make sure you select the database you want to give the user backup permissions to.

After doing so, make sure you check the following list of roles for the user you’ve selected, on the database you’ve selected in order to give him just backup permissions:

• db_backupoperator –  This role will allow the user to take backups of the database
• db_denydatareader –  This role will deny the user access to the database’s data, so he cannot read the data from its tables
• db_denydatawriter –  This role will deny the user access to modify the database’s data, so he cannot run any UPDATE or DELETE queries
• public –  Every user that is set up on the database is part of the public database role. When a user is denied access permission on a securable object, that user will inherit the permission to the public for that object.

5 thoughts on “SQL Server Backup Permissions”

Thanks, this is great info!

The SQL syntax would be a nice touch here.

It is really helpful for me.

Thanks for the detailed Steps. It saved my day.

Bear in mind that this works for backup, but not restore.

Leave a Comment Cancel reply

404 Not found