User Right Assignment Backup Exec 11d

Problem

How to change the System Logon Account credentials in Backup Exec if the password to the account is unknown.

Cause

  • The user account that is associated with the System Logon Account in Backup Exec may get locked out in Active Directory due to failed logon attempts with the old password
  • Backup jobs will fail due to authentication errors


 

Solution


For various reasons, the credentials stored in the Backup Exec System Logon Account may become unsynchronized from the actual domain or system credentials.  The problems that this can generate include:

 

  • The user account that is associated with the System Logon Account in Backup Exec may get locked out in Active Directory due to failed logon attempts with the old password
  • Backup jobs will fail due to authentication errors
In Backup Exec 2010 R3 and earlier versions, the Logon Accounts can be managed from Network Menu -> Logon Accounts.
For Backup Exec 2012 and later, logon account management  window is available in Configuration and Settings -> Logon Accounts -> Manage logon Accounts.

To change the credentials stored in the Backup Exec System Logon Account, it is necessary to know the stored password.  If the password for the Backup Exec System Logon Account is unknown, no changes can be made to this account.  The System Logon Account will have to be deleted and recreated using the process outlined below.  

The System Logon Account shows up in the Network > Logon Accounts window.  If System Logon Account is missing, click on the button on the right hand side of the window labeled System Account as this account is required to communicate to the Backup Exec services.

Note: The Windows SYSTEM ACCOUNT and the Backup Exec System Logon Account are unrelated entities.  The Windows SYSTEM ACCOUNT is a special user account which does not have user-specified credentials.  The Backup Exec System Logon Account is a logon account that is user-specified during installation and required for proper Backup Exec functionality.  The button labeled System Account does not refer to the Windows account but is short for the Backup Exec System Logon Account.

Figure 1
 


Use the following steps to resolve the issue if the password on the System Logon Account is unknown:
 

     1. Login to the Backup Exec server using the account which shows as the Owner account for the System Logon Account.

     2. From Logon Account management window, create a New account. (a dummy Example account as given in figure 1).
 

3. Take note if the System Logon Account is the 'Default account', noted by a "Yes" in the Default column.
 

4. Delete the System Logon Account. This account cannot be deleted while it is marked as the 'Default account'.  Select the Example account to be the 'Default account' during these steps.
 

5. If prompted, choose to reassign the backup jobs to the account that was created in step 1.
 

6. Click on the System Account button on the right.  This button is disabled if a System Logon Account exists (Figure 1)
 

7. Assign the correct credentials using DOMAIN\USERNAME format.
 

8. Depending on the setting noted in step 2, select the check box that says This is my default logon account and click Ok.
 

9. Delete the user account created in step 1 and reassign the backup jobs to System Logon Account when prompted.
 


 

Often, the Backup Exec services use the same credentials as stored in the System Logon Account and may also need to be changed.  Use the following steps to change the service credentials:

 

1. In Backup Exec, go to Tools > Backup Exec Services and choose Services Credentials.
 

2. Put a check in Change service account information.
 

3. Enter the updated user credentials.
 

4. Restart the Backup Exec services.
 


 

 

 

Related Articles

Requirements for the Backup Exec Service Account (BESA).

Logon Failure error occurs when a non-administrator domain/local user tries to login to the Backup Exec console

Problem

The backup selections show All Resources with nothing is available for selection beneath as shown in Figure 1.
 

Figure 1:

 

Error Message

Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server

 

Cause

[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory.

[ B ] If the BESA does not have the right to Logon as a batch job.

By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.

For more information on this user right, refer to: 
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

[ C ] If the BESA is included in Deny logon as a batch job policy.

'Deny logon as a batch job'determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies. 

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job.

 

[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection.


[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.

 

Solution

[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory.

 

[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights:

  • Act as part of the operating system [ a.k.a. TcbPrivilege ].
  • Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
  • Create a token object (which can be used to access any local resources)    [ a.k.a. TokenRightPrivilege].
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)  [ a.k.a. BatchLogonRight ].
  • Log on as a service  [ a.k.a. ServiceLogonRight ].
  • Manage auditing and security log [ a.k.a. AuditPrivilege ].
  • Restore files and directories (provides rights to restore files and directories  [ a.k.a. RestorePrivilege ].
  • Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].

For more information on any of the above User Rights Assignment please refer to : https://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx.


Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
 

 

For Windows Server 2003 :

1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.

2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).

Figure 2
 

5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.


For Windows Server 2008 :

1. Go to Start | Programs | Administrative Tools | Group Policy Management.

2. From the left pane, expand Domains |Domain_Name | Group Policy Objects.

3. Right click on Default Domain Controllers Policy and click on Edit. 

 

 

Ensure that the group policy being edited is set to Enforced or else the changes would not apply.

4. From the left pane, expand Computer Configuration and go to  Windows Settings | Security Settings | Local Policies | User Rights Assignments.



5. From the right pane, right-click Create a token object.


6. Click "Add user or Group".



7. For the "Add user or Group" window, click Browse.


8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.

9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilige.


6. Repeat steps 1 through 9 for any additional policies.
 

[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even  adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)


Figure 4


Refresh the group policy

Click Start > Run and type gpupdate/target:computer /force ( this will force update the Group Policy

[ D ] Make sure BESA has all the required permissions

1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network Logon Accounts.  Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins.  Remove this account from any groups that do not have full administrative rights. 

2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:

  • Domain Admins (Primary Group)
  • Local Admins or Administrators
  • Remove Domain Users from the list.

Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.

Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
 
[ E ] Make sure all Backup Exec services are started.

 

 

Related Articles

How to check user account permissions

Requirements for the Backup Exec Service Account (BESA).

Local and remote resources are not displayed for backup selection

What rights does the Backup Exec service account need?

Understanding Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures

Categories: 1

0 Replies to “User Right Assignment Backup Exec 11d”

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *