How to create a System Logon Account in Backup Exec for Windows Servers

Problem

How to create a System Logon Account in Backup Exec for Windows Servers

Solution
The Backup Exec System Logon Account (SLA) is created on installation of Backup Exec. When the SLA is created, the username and password match the credentials provided during install for the Backup Exec Services credentials. The owner of the SLA is the Windows user that installed Backup Exec and is a common account by default. Common accounts are shared accounts that can be accessed by all users. The Backup Exec System Logon Account may have access to most or all of the resources since it contains the Backup Exec Services credentials. In order to make Backup Exec more secure, the SLA can be changed to be a restricted account or can be deleted. However, if the SLA is deleted, the jobs in which it is used may fail. If the SLA is deleted, it can be recreated by performing the steps given below:

1. Select the Network | Logon Accounts menu option. The Logon Account Management dialog box will appear (Figure 1). Figure 1

2. Click on the System Account button on the right which will bring up the figure given below (Figure 2) Figure 2

3. In the Edit Logon Credentials screen, enter the User name in the format <domain name>\<user name> 4. Select the This is my default Logon account check box and click OK 5. This will create the System Logon Account as shown below (Figure 3) Figure 3

How to delete a Backup Exec 9.x, 10.x, 11x, 12.x logon account
Problem

How to delete a Backup Exec 9.x, 10.x, 11x, 12.x logon account

Solution

Backup Exec logon account overview A logon account enables Backup Exec (tm) to access resources for backup. A Backup Exec logon account stores the credentials of a Windows user account. It enables Backup Exec to manage user names and passwords and can be used to browse resources or process jobs. Backup Exec logon accounts are used to browse local and remote resources. Backup Exec logon accounts are not Windows user accounts. When a Backup Exec logon account is created, an entry for the account is entered into the Backup Exec database; no operating system accounts are created. If Windows user account credentials change, the Backup Exec logon account will need to be manually updated with the new information. Backup Exec does not maintain a connection with the Windows user account. To delete a Backup Exec logon account, follow the instructions given below: 1. Select the Network | Logon Accounts menu option. The Logon Account Management dialog box will appear (Figure 1).

Figure 1

2. Select the Backup Exec logon account to delete, and then click Delete (Figure 1) 3. Click Yes to confirm the deletion The Backup Exec logon account is removed from the Backup Exec logon account list. The Backup Exec logon account cannot be deleted when it is: 1. Being referenced by a job 2. Owned by a user who is logged on to the media server 3. Set as the default Backup Exec logon account of a user who is logged on to the media server Trying to delete a Backup Exec logon account that matches any of the criteria given above will result in the Delete button appearing grayed out (Figure 2). Figure 2

A Backup Exec logon account can only be deleted when the owner is logged off, and all users who have it set as their default logon account are logged off.

How to change the designated logon account for a selected resource.

Problem

How to change the designated logon account for a selected resource.

Solution
A logon account enables Backup Exec to access a resource for backup. The specified account can be changed as needed to accommodate new accounts or changed passwords. To change a logon account, perform the following: 1. On the navigation bar, click Backup Job 2. Select the data for backup (Figure 1) Figure 1

3. On the Properties pane, under Source, click Resource Credentials (Figure 2) Figure 2

4. Select the resource for which the logon account has to be changed 5. Click Change from the right pane (Figure 3) Figure 3

6. Select the logon account to use for this backup selection, or click New and create a new logon account (Figure 4) Figure 4

7. Click OK to confirm (Figure 5)

Figure 5

After an appropriate logon account is selected, the job is executed using that account. Note: While selecting the remote machine for backup, Backup Exec may display the Logon Account Selection dialog box (Figure 4). Select an appropriate logon account that matches the logon credentials of the remote machine. If the account does not exist, then create a new account that matches the logon credentials of the selected machine for backup.

What rights does the Backup Exec service account need?

Problem

What rights does the Backup Exec service account need?

Solution

All Backup Exec (tm) services on the media server run in the context of a user account configured for Backup Exec system services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted If this computer is in a domain, enter a Domain Administrators account, or an equivalent account that is part of the Domain Admins group. In the Domain list, select or enter the Domain name. If this computer is in a workgroup, enter an Administrators account, or an equivalent account that is part of the Administrators group on the computer. In the Domain list, select or enter the computer name. Note: Due to security implementations in Microsoft Small Business Server, the service account must be Administrator.

Backup Exec account must have the following rights:

Act as part of the operating system Backup files and directories Create a token object Logon as a batch job (Windows 2008 only) Logon as a service

Manage auditing and security log Restore files and directories Take ownership of files and other objects Also make sure the account is not added under: Deny logon as a service Deny logon as a batch This is important because the DENY takes precedence over allow. The account should have its Primary role as Domain Admin in Active Directory. Please review www.symantec.com/docs/TECH136148 for 'How to define/grant the required user rights for a Backup Exec Service Account (BESA) in Default Domain Controller Group Policy object' Please review www.symantec.com/docs/TECH130255 for other rights required for each Agent / Option being used.

How to define/grant the required user rights/permissions for a Backup Exec Service Account ( BESA )
Problem
The backup selections show All Resources with nothing available for selection beneath as shown in Figure 1.

Figure 1:

Error

Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server

Cause

[ A ] The password set for the Backup Exec System Logon Account (network > logon accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory. [ B ] If the BESA does not have the right to Logon as a batch job. By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.

For more information on this user right, refer to: http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx [ C ] If the BESA is included in Deny logon as a batch job policy. 'Deny logon as a batch job' determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job. For more information on this user right, refer to: http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection. [ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.

Solution
[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory.

[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for

Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights: Act as part of the operating system Backup files and directories (provides rights to backup files and directories) Create a token object (which can be used to access any local resources) Log on as a batch job (allows a user to be logged on by means of a batch-queue facility) Log on as a service Manage auditing and security log Restore files and directories (provides rights to restore files and directories Take ownership of files and other objects For more information on any of the above User Rights Assignment please refer to : http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator"

For Windows Server 2003 : 1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers 2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties 3. Select the Group Policy tab 4. Select the Default Domain Controllers Policy and then click Edit (Figure 2) Figure 2

5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments For Windows Server 2008 : 1. Go to Start | Programs | Administrative Tools | Group Policy Management 2. From the left pane, expand Domains | Domain_Name | Group Policy Objects 3. Right click on Default Domain Controllers Policy and click on Edit 4. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments

Define the required user rights : 1. From the right pane, double-click Act as part of the operating system 2. Click Add

3. For the user and group names, click Browse 4. Select the new desired user account, click Add, and then click OK (Figure 3) Figure 3

5. Click OK, and then click OK again 6. Repeat steps 1 through 5 for the remaining policies. [ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)
Figure 4

Refresh the group policy Click Start > Run and type gpupdate /force (this will force update the Group Policy)

[ D ] Make sure BESA has all the required permissions 1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network - Logon Accounts. Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins. Remove this account from any groups that do not have full administrative rights. 2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:

Domain Admins (Primary Group) Local Admins or Administrators Remove Domain Users from the list.

Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account. Note: This applies to Windows Server 2008 (Domain controller and member servers) as well.

[ E ] Make sure all Backup Exec services are started.

Understanding Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures
Problem

If the account Backup Exec 2010 uses to attach with to perform a backup or restore operation does not have the required permissions, the following error can occur:

Error

Access Denied, Cannot Attach to Resource

Solution
Click on one of the topic links below to find out more specific information about it and how to potentially resolve connectivity, backup, and restore failures in Backup Exec 2010:

Logon Account User Rights

Definitions

Installation

Backup Devices

NTFS Volume Data

Exchange Agent

SQL Agent

SharePoint Agent

Active Directory Agent

Hyper-V Agent

AVVI (Agent for VMware Virtual Infrastructure)

Oracle Agent

Lotus Agent

Enterprise Vault Agent

File System and Exchange Archiving Option

RALUS (Remote Agent for Linux or Unix Servers)

RMALS (Remote Media Agent for Linux or Unix Servers)

RAMS (Remote Agent for Macintosh Systems)

RANW (Remote Agent for Netware Systems)

SAP Agent

CPS (Continuous Server Protection) Option CASO (Central Administration Server) or SSO (Shared Storage Option) Summary

About Logon Account User Rights in Backup Exec 2010: Symantec Backup Exec 2010 provides the facility to save and maintain multiple logon accounts. These logon accounts are used when performing various operations in the Backup Exec interface. Logon accounts are used for the following: Internal application functions such as the communication between Backup Exec Services and the Backup Exec Database, application configuration tasks such as creating and configuring backup-to-disk folders and data selection for the purposes of creating selection lists, backing up and restoring data. The logon accounts maintained in Backup Exec (other than the account used for the Backup Exec services) are independent of accounts maintained locally, or centrally, on Windows, Mac, Linux, Active Directory or other operating systems or directory

services applications. For the logon accounts in Backup Exec to function as intended they must correspond to accounts on the local Windows system, Active Directory or remote systems, as is appropriate, and be given rights assignments to access data and system objects as necessary. NOTE: since the BE accounts are independent of the systems they interact with, care should be taken to maintain account settings and passwords as needed. Changes to accounts in Backup Exec do not effect change to the related accounts on the Windows system, Active Directory or remote systems.

Definitions: 1. Logon account for Backup Exec Services - by default this is the account specified during installation and is assigned to all the BE services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems service which run as the Local System account. NOTE: these services can be configured from the Backup Exec Services Manager which can be launched from the BE UI status bar or Tools Menu. 2. System logon account - This account is used to perform application specific configuration tasks such as copying jobs and using the BE Command Line Applet. By default, this is the same account that was specified during installation and is also used as the account for the Backup Exec services. 3. Default logon account - This is the account that is set as the default logon account in Backup Exec for the user currently using the Backup Exec User interface. In other words, it is the account in Backup Exec that is tied to your local or Domain logon that you are logged on to the system with that is hosting the Backup Exec application. Again, by default, this is the account that you specified when installing the Backup Exec application and is the account used by the Backup Exec services and specified as the System logon account. About Backup Exec Installation and rights assigned to the Backup Exec Service Account: For installation of Backup Exec you must be logged in with an account that has Administrative rights on the server. This is so that the installation routine can access the file system, registry and backup devices to make necessary configuration changes. As part of the installation process an account must be specified for the Backup Exec services, this account must have local administrative rights on the server. By

default, during the installation process, the account specified for the Backup Exec services is assigned the right to "logon as a service" locally, or on the domain, as is appropriate. The service account will also be granted full rights to the BEDB SQL database that is created during the install. The account specified will be used by all Backup Exec services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems, these services will us the Local System account by default. For proper functionality the services using the Local System account should be left configured in this manner. Note: if the BEDB database is hosted on a server other than the local Backup Exec Media Server, the account will also have to be a member of the Domain Admins group. The System Account specified in the Backup Exec Logon Accounts Management utility should have the same rights as the service account for best functionality. Best practice: to make the System Account the same account as the service account. About Logon Rights and Backup Devices: Backup Devices are accessed using the credentials assigned to the Backup Exec Services. Since Backup Exec can not pass unique credentials to backup devices, care should be taken to ensure that external devices (such as NAS devices) can accept the service credentials or have an equivalent account with appropriate rights. Also, Backup-to-Disk folders should have appropriate rights assigned for the resources being protected to that target device. (Example: when Exchange backup sets are sent to a B2d folder, the user specified will require appropriate Domain and Exchange Server access rights on that folder for GRT (Granular Restore Technology) to function properly. About logon rights required to protect NTFS volume data: Backup Exec requires either membership in the Backup Operators group, or Administrators group to protect NTFS file data. Specifically, Backup Exec requires the following rights: 1. 2. 3. 4. Backup files and directories Restore files and directories Allow log on locally (Windows 2000, 2003 and XP only) Logon as Batch (Windows 2008/Vista and above)

Best Practice (for ease of use): Make the primary account in BE used to create selection lists and backup jobs a member of the Domain Admins or domain Administrators group.

About logon rights required to protect Microsoft Exchange data: Backup Exec 2010 requires the following rights to protect Exchange data: 1. For non-GRT backups (database only with no granular restore functionality) the logon account specified must be a member of the local Backup Operators group on the Exchange server 2. For database only restores (database only with no granular restore functionality) the logon account specified must be a member of the local Administrators group on the Exchange server 3. For GRT (Granular Restore Technology) enabled backups to disk (where the disk device is local to the BE Media Server and in the same domain) the logon account specified must be a member of the local Administrators group on the Exchange server 4. For GRT backups to a tape device and ALL GRT restore operations, from tape or disk, the logon account specified must be a member of the local Administrators group on the Exchange server. In addition, the logon account must have a unique mailbox and the mailbox can NOT be hidden from the Global Address List. For Exchange 2003 the account must also be granted the Exchange Administrator, or Exchange Full Administrator role. On Exchange 2007 and 2010 servers the account must be granted the Exchange Organization Administrator role. Finally, for Exchange 2010 the account must also have the Administrator role on the AD Domain for AD access as part of the GRT operations. Best Practice(for ease of use): Make the account in Backup Exec for Exchange backup and restore operations a member of the Domain Admins group and grant that account the Exchange Full Administrator or Exchange Organization Administrator role (as is appropriate for the version of Exchange). Also make sure the account has a unique mailbox visible in the GAL and can send and receive mail.

About logon rights required to protect Microsoft SQL data: Backup Exec 2010 requires the following rights to protect SQL data: The account used to protect Microsoft SQL data should have Administrator rights on the SQL server as well as the SQL databases. This is necessary specifically for SQL database restore procedures, where the SQL services or cluster groups may need to be controlled as part of the restore operation. About logon rights required to protect Microsoft SharePoint data:

1. For SharePoint backup and restore operations the account specified in Backup Exec must have local administrator rights on all the Servers participating in the SharePoint farm as well as an administrator on the associated SQL databases 2. For the purpose of SharePoint GRT item restores the account must also be granted the Site Collection Administrator role on the SharePoint site Best Practice (for ease of use): Make the account a member of the Domain Admins group in the domain where the SharePoint farm is located and grant the account the Site Collection Admin role in SharePoint. For additional information, review the following: Pre-requisites for Backup Exec Service Account (BESA) to backup Microsoft Office SharePoint Server (MOSS) 2007 http://www.symantec.com/docs/TECH75907 About logon rights required to protect Microsoft Active Directory data: All backup and restore operations performed against a Microsoft Active Directory domain database, including GRT restore operations, require the account used to be a member of the Domain Admins group.

About logon rights required to protect Microsoft Hyper-V virtual machine data: Microsoft Hyper-V virtual machine data protection requires that the account be a member of the local Administrators group on the Hyper-V host. For App-GRT operations (Application GRT, wherein any Microsoft databases which have Backup Exec Agent support are able to be restored using the GRT functionality when backed up as part of a virtual machine) the account used must have local administrator rights on the virtual system as well as the rights specified for the specific agent required. See other related sections of this document for additional detail as is appropriate.

About logon rights required to protect VMware virtual machine data (also referred to as AVVI, Agent for VMware Virtual Infrastructure): The following specific rights are required for backup operations (as specified on the Virtual Center server or the ESX host as is appropriate): 1. VMware Consolidated Backup User role, which comprises the following rights:

a. Virtual Machine Configuration: Disk Change Tracking and Disk Lease b. Virtual Machine Provisioning: Allow read-only disk access and Allow virtual machine download c. Virtual machine state: Create snapshot and Remove snapshot The following specific rights are required for restore operations (as specified on the Virtual Center server or the ESX host as is appropriate): 1. Resource: Assign virtual machine to resource pool 2. Virtual machine > Configuration: a. Add existing disk b. Add new disk c. Add or Remove device d. Advanced e. Change CPU count f. Change Resource g. Disk change Tracking h. Disk Lease i. Host USB device j. Memory k. Modify device setting l. Raw device m. Reload from path n. Remove disk o. Rename p. Reset guest information q. Settings r. Swapfile placement s. Upgrade virtual hardware 3. Virtual machine > Interaction: a. Power Off b. Power On c. Virtual machine > Inventory d. Create new e. Register f. Remove g. Unregister 4. Virtual machine > Provisioning: a. Allow read-only disk access b. Allow virtual machine download 5. Virtual machine > State: a. Create snapshot b. Remove snapshot

c. Revert to snapshot About logon rights required to protect VMware virtual machine database application data (Also referred to as Application GRT) Backup Exec allows the granular restore of database data back to virtual machines under specific circumstances. The data must come from a Microsoft Active Directory, Exchange or SQL database. The version of the database must be supported in the current version of the product. In addition to the rights required to protect the virtual machine, the account used must also have administrator rights and the appropriate rights pertinent to the application on the virtual system. In other words, the account specified in BE to access the VM must also have all the necessary rights to fully protect the Active Directory, Exchange or SQL database present on the target system, just as if the Agent for Windows Systems was used. Please see above sections for required rights for specific database applications. About logon rights required to protect Oracle database data: If the target database is running on Windows the account specified must be a member of the local administrators group. On Linux the user must be a member of the beoper group. The account specified must also have SYSDBA rights on the Oracle instance being protected. About logon rights required to protect Lotus Notes data: The Agent for Windows Servers on the Lotus server must be running as the Local System account (default). The account specified should also have backup and restore privileges and file creation rights on the Lotus database. About logon rights required to protect Symantec Enterprise Vault data: To protect Enterprise Vault (EV) databases, including Compliance and Discovery Accelerator, the account specified can have any one of the following credentials: 1. The Vault Service account 2. Domain Admin group membership and Admin role on the Enterprise Vault instance 3.. A Domain account with the following: a. Administrators group membership on all participating EV servers b. Backup Operators group membership on servers hosting EV databases c. Admin role on Vault Store and Index locations

4. Admin role in EV should include: EVT Manage Vault Store Backup Mode and EVT Mange Index Location Backup Mode About logon rights required to protect Windows File System and Exchange resources with the BE Archiving Option: 1. The account specified should also be the BE service account 2. The account must be a domain member 3. For file system archiving the BE service account should have the following: a. Local administrator rights on the target server b. Full Control share permissions on shares selected for archiving c. NTFS rights on shared directory selected: Modify, List Folder Contents, Read and Write 4. For Exchange mail archiving the BE service account should have the following: a. At the Organization level, or Exchange server level, Allow setting for all permissions (or 'All' setting for 2007) b. Send As and Receive As rights on the mailbox designated as the Archiving 'System' mailbox (NOT the "System Mailbox" as specified on the Exchange server) 5. If the media server and the protected resources are in different domains the following trust relationships should exist: a. The media server domain, and the Exchange and File Server domains must trust the domain that the Backup Exec service account belongs to b. The media server domain must trust the domains that contain the accounts of users whose mailboxes reside on the Exchange Servers, and that access the archived file shares and folders About logon rights required to protect data on Linux systems using the Remote Agent for Linux or Unix Servers (RALUS): The logon account specified must exist on the Linux/Unix target server and must be a member of the Backup Exec Operators (or 'beoper' ) group to perform a Backup or a Restore Operation. (This restriction applies even to the super user, or "root" account). To perform a Delete Operation after a successful backup (i.e. to do the 'backup and delete the "files" operation), the logon account selected must be that of the super user. About logon rights required for the Remote Media Agent for Linux or Unix Servers (RMALS): Beremote.exe must run as "root".

Jobs can run with lower rights as long as the user specified is a member of the beoper group. About installation of the Agent on Linux/Unix/Macintosh systems: Install requires the user to be "root" to install the agent to the local or remote machines. Modification to system configuration and group files require "root" user privileges during installation process. About logon rights required to protect data on Apple Macintosh systems using the Remote Agent for Macintosh Systems (RAMS): The logon account used must be a member of the "admin" group, to perform a Backup or Restore Operation. To perform a Delete Operation after a successful backup (i.e. to do the "backup and delete the files" operation), the logon account used must be that of the super user. About logon rights required to protect data on Netware systems using the Remote Agent for Netware Systems (RANW): The Remote Agent for NetWare requires no special login or service account to operate. Full access rights to the host server are implied by virtue of the Remote Agent being loaded from the host server console. User rights appropriate to particular tasks are required to perform those tasks. For example, for file system backups a user must have Read, File Scan, Modify, and Access Control rights to all files they wish to backup. To backup the Novell Directory Services tree, a user must have Supervisor rights (which implies all other rights) to the tree's Root. About logon rights required to protect SAP databases using the Backup Exec Agent for SAP applications: SAP backup/restores are DBA initiated operations, so there is no browse for SAP database. Backup Operator rights are the minimum required to submit a SAP job. DBA can be the same as the account used for SAP job submission or you can provide any other account that has backup/restore privileges on SAP server. In addition, the account specified must have appropriate privileges on both the SAP and Backup Exec media servers to be able to back up and restore data. The Backup Exec service account must have the following:

Access to selections in the jobs that are submitted by the BACKINT interface. Rights to the volumes on which the selections are contained About logon rights assigned to services for the proper functioning of the Backup Exec CPS (Continuous Server Protection) Option:

BE CPS services run with the following default configuration. This configuration should be preserved for proper functionality. CPS Protection Agent service runs as user belonging to local/Domain Administrator group CPS Config writer service runs as user belonging to local/Domain Administrator group CPS Database service runs as Local System CPS Indexing service runs as Local System CPS Management Service must run as a user that is a member of the local/Domain Administrator group CPS Network Helper service runs as Local System. CSPS System State Manager service must run as a user that is a member of the local/Domain Administrator group CPS Filter driver runs in the kernel space to have full access to all protected resources

About additional logon rights considerations for a BE Central Administration Server (CASO) or Shared Storage Option (SSO) server environment: The Backup Exec service account must have Domain Admin group membership. The BEDB database requires the Backup Exec service account to be added as administrator on the BackupExec SQL Instance. In addition the Backup Exec service account requires the following rights: 1) Backup Files and Directories 2) Restore Files and Directories 3) Create a Token Object 4) Manage Auditing and Security Log 5) Take ownership of files and other objects 6) Act a part of the operating system (Windows 2000 only) In Summary In most cases, the rights specified here are the minimum rights required to perform the desired backup and restore operations. If a set of "best practices" is specified, it is intended as a way to give rights that will result in the desired operation being

performed but with, most often, less restrictive rights than may be desirable. This is simply to provide a starting point for troubleshooting and fine tuning rights assignments. Where more restrictive rights are required the general recommendation would be to test the desired operation with the least restrictive rights and add restrictions until the operation fails. This article was also written to address permissions requirements for Backup Exec 2010 and all its options, though sections of this TechNote may apply to prior or future versions of the product.