Understanding Backup Exec Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures
Problem
If a Backup Exec Logon Account does not have sufficient rights to access BEDB, perform backup and restore operation or attach to the target machine, then the following errors can occur:
Error Message
V-79-57344-39777 - The logon account that was provided does not have valid credentials
V-79-57344-3874 - An 'access denied' error may have occurred because the current user account does not have sufficient rights to retrieve credentials for the selected logon account from the Backup Exec database. Log off and log back on to Windows using a user account that has administrative rights, and then try to run Backup Exec again.
Error Code: E0000F22
Solution
Click on one of the topic links below to find out more specific information about it and how to potentially resolve connectivity, backup, and restore failures in Backup Exec:
Note: Group Managed Service Accounts (gMSA) is not supported by Backup Exec. Use a dedicated account with specified privileges as mentioned below.
AVVI (Agent for VMware Virtual Infrastructure)
RALUS (Remote Agent for Linux or Unix Servers)
RMALS (Remote Media Agent for Linux or Unix Servers)
CASO (Central Administration Server)
Summary
About Logon Account User Rights in Backup Exec:
Backup Exec provides the facility to save and maintain multiple logon accounts. These logon accounts are used when performing various operations in the Backup Exec interface. Logon accounts are used for the following: Internal application functions such as the communication between Backup Exec Services and the Backup Exec Database, application configuration tasks such as creating and configuring backup-to-disk folders and data selection for the purposes of creating selection lists, backing up and restoring data.
The logon accounts maintained in Backup Exec (other than the account used for the Backup Exec services) are independent of accounts maintained locally, or centrally, on Windows, Mac, Linux, Active Directory or other operating systems or directory services applications. For the logon accounts in Backup Exec to function as intended they must correspond to accounts on the local Windows system, Active Directory or remote systems, as is appropriate, and be given rights assignments to access data and system objects as necessary. Note: since the BE accounts are independent of the systems they interact with, care should be taken to maintain account settings and passwords as needed. Changes to accounts in Backup Exec do not effect change to the related accounts on the Windows system, Active Directory or remote systems.
Definitions:
1. Logon account for Backup Exec Services - by default this is the account specified during installation and is assigned to all the BE services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems service which run as the Local System account. Note: these services can be configured from the Backup Exec Services Manager which can be launched from the BE UI status bar or Tools Menu.
2. System logon account - This account is used to perform application specific configuration tasks such as copying jobs and using the BE Command Line Applet. By default, this is the same account that was specified during installation and is also used as the account for the Backup Exec services.
3. Default logon account - This is the account that is set as the default logon account in Backup Exec for the user currently using the Backup Exec User interface. In other words, it is the account in Backup Exec that is tied to your local or Domain logon that you are logged on to the system with that is hosting the Backup Exec application. Again, by default, this is the account that you specified when installing the Backup Exec application and is the account used by the Backup Exec services and specified as the System logon account.
About Backup Exec Installation and rights assigned to the Backup Exec Service Account:
For installation of Backup Exec you must be logged in with an account that has Administrative rights on the server. This is so that the installation routine can access the file system, registry and backup devices to make necessary configuration changes.
As part of the installation process an account must be specified for the Backup Exec services, this account must have local administrative rights on the server. By default, during the installation process, the account specified for the Backup Exec services is assigned the right to "logon as a service" locally, or on the domain, as is appropriate. The service account will also be granted full rights to the BEDB SQL database that is created during the install. The account specified will be used by all Backup Exec services other than the Backup Exec Error Recording Service and the Backup Exec Remote Agent for Windows Systems, these services will use the Local System account by default. For proper functionality the services using the Local System account should be left configured in this manner.
Note: if the BEDB database is hosted on a server other than the local Backup Exec Media Server, the account will also have to be a member of the Local Administrators group on the SQL server. The System Account specified in the Backup Exec Logon Accounts Management utility should have the same rights as the service account for best functionality. Best practice: to make the System Account the same account as the service account.
About Logon Rights and Backup Devices:
Backup Devices are accessed using the credentials assigned to the Backup Exec Services. Since Backup Exec can not pass unique credentials to backup devices, care should be taken to ensure that external devices (such as NAS devices) can accept the service credentials or have an equivalent account with appropriate rights. Also, Backup-to-Disk folders should have appropriate rights assigned for the resources being protected to that target device. (Example: when Exchange backup sets are sent to a B2d folder, the user specified will require appropriate Domain and Exchange Server access rights on that folder for GRT (Granular Restore Technology) to function properly.
About logon rights required to protect NTFS volume data:
Backup Exec requires either membership in the Backup Operators group, or the Administrators group to protect NTFS file data. Specifically, Backup Exec requires the following rights:
1. Backup files and directories
2. Restore files and directories
3. Allow log on locally (Windows 2000, 2003 and XP only)
4. Logon as Batch (Windows 2008/Vista and above)
Best Practice (for ease of use): Make the primary account in BE used to create selection lists and backup jobs a member of the Local Administrators group for that resource.
About logon rights required to protect Microsoft Exchange data:
Backup Exec requires the following rights to protect Exchange data:
1. For non-GRT backups (database only with no granular restore functionality) the logon account specified must be a member of the local Backup Operators group on the Exchange server
2. For database only restores (database only with no granular restore functionality) the logon account specified must be a member of the local Administrators group on the Exchange server(s)
3. For GRT (Granular Restore Technology) enabled backups to disk (where the disk device is local to the BE Media Server and in the same domain) the logon account specified must be a member of the local Administrators group on the Exchange server(s)
4. For GRT backups to a tape device and ALL GRT restore operations, from tape or disk, the logon account specified must be a member of the local Administrators group on the Exchange server(s). In addition, the logon account must have a unique mailbox and the mailbox can NOT be hidden from the Global Address List. For Exchange 2003 the account must also be granted the Exchange Administrator, or Exchange Full Administrator role. On Exchange 2007 and later servers the account must be granted the Exchange Organization Administrator role. Finally, for Exchange 2010 and later the account must also have the Administrator role on the AD Domain for AD access as part of the GRT operations.
Best Practice(for ease of use): Make the account in Backup Exec for Exchange backup and restore operations a member of the Local Administrators group on the Exchange server(s) and grant that account the Exchange Full Administrator or Exchange Organization Administrator role (as is appropriate for the version of Exchange). Also make sure the account has a unique mailbox visible in the GAL and can send and receive mail.
About logon rights required to protect Microsoft SQL data:
Backup Exec requires the following rights to protect SQL data:
The account used to protect Microsoft SQL data should have Administrator rights on the SQL server as well as the SQL databases. This is necessary specifically for SQL database restore procedures, where the SQL services or cluster groups may need to be controlled as part of the restore operation.
About logon rights required to protect Microsoft SharePoint data:
1. For SharePoint backup and restore operations the account specified in Backup Exec must have local administrator rights on all the Servers participating in the SharePoint farm as well as an administrator on the associated SQL databases
2. For the purpose of SharePoint GRT item restores the account must also be granted the Site Collection Administrator role on the SharePoint site
Best Practice (for ease of use): Make the account a member of the Local Administrators group on each server inthe SharePoint farm and grant the account the Site Collection Admin role in SharePoint. For additional information, review the following:
Pre-requisites for Backup Exec Service Account (BESA) to backup Microsoft Office SharePoint Server
https://www.veritas.com/support/en_US/article.100022309
About logon rights required to protect Microsoft Active Directory data:
All backup and restore operations performed against a Microsoft Active Directory domain database, including GRT restore operations, require the account used to be a member of the Domain Admins group for the domain database server's domain.
About logon rights required to protect Microsoft Hyper-V virtual machine data:
Microsoft Hyper-V virtual machine data protection requires that the account be a member of the local Administrators group on the Hyper-V host. For App-GRT operations (Application GRT, wherein any Microsoft databases which have Backup Exec Agent support are able to be restored using the GRT functionality when backed up as part of a virtual machine) the account used must have local administrator rights on the virtual system as well as the rights specified for the specific agent required. See other related sections of this document for additional detail as is appropriate.
About logon rights required to protect VMware virtual machine data (also referred to as AVVI, Agent for VMware Virtual Infrastructure):
Please refer to the contents of 000007044 for this information
https://www.veritas.com/docs/docs/000007044
About logon rights required to protect VMware virtual machine database application data (Also referred to as Application GRT)
Backup Exec allows the granular restore of database data back to virtual machines under specific circumstances. The data must come from a Microsoft Active Directory, Exchange or SQL database. The version of the database must be supported in the current version of the product. In addition to the rights required to protect the virtual machine, the account used must also have Administrator rights and the appropriate rights pertinent to the application on the virtual system. In other words, the account specified in BE to access the VM must also have all the necessary rights to fully protect the Active Directory, Exchange or SQL database present on the target system, just as if the Agent for Windows Systems was used. Please see above sections for required rights for specific database applications.
About logon rights required to protect Oracle database data:
If the target database is running on Windows the account specified must be a member of the local Administrators group. On Linux the user must be a member of the beoper group. The account specified must also have SYSDBA rights on the Oracle instance being protected.
About logon rights required to protect Veritas Enterprise Vault data:
To protect Enterprise Vault (EV) databases, including Compliance and Discovery Accelerator, the account specified can have any one of the following credentials:
1. The Vault Service account
2. Local Administrators group membership and Admin role on the Enterprise Vault instance
3.. A Domain account with the following:
a. Administrators group membership on all participating EV servers
b. Backup Operators group membership on servers hosting EV databases
c. Admin role on Vault Store and Index locations
4. Admin role in EV should include: EVT Manage Vault Store Backup Mode and EVT Mange Index Location Backup Mode
About logon rights required to protect data on Linux systems using the Remote Agent for Linux or Unix Servers (RALUS):
The logon account specified must exist on the Linux/Unix target server and must be a member of the Backup Exec Operators (or 'beoper' ) group to perform a Backup or a Restore Operation. (This restriction applies even to the super user, or "root" account).
To perform a Delete Operation after a successful backup (i.e. to do the 'backup and delete the "files" operation), the logon account selected must be that of the super user.
About logon rights required for the Remote Media Agent for Linux or Unix Servers (RMALS):
Beremote.exe must run as "root".
Jobs can run with lower rights as long as the user specified is a member of the beoper group.
About installation of the Agent on Linux/Unix/Macintosh systems:
Install requires the user to be "root" to install the agent to the local or remote machines. Modification to system configuration and group files require "root" user privileges during installation process.
About additional logon rights considerations for a BE Central Administration Server (CASO)
The Backup Exec service account must have Local Administration group membership. The BEDB database requires the Backup Exec service account to be added as Administrator on the BackupExec SQL Instance.
In addition the Backup Exec service account requires the following rights:
1) Backup Files and Directories
2) Restore Files and Directories
3) Create a Token Object
4) Manage Auditing and Security Log
5) Take ownership of files and other objects
6) Act a part of the operating system (Windows 2000 only)
In Summary
In most cases, the rights specified here are the minimum rights required to perform the desired backup and restore operations. If a set of "best practices" is specified, it is intended as a way to give rights that will result in the desired operation being performed but with, most often, less restrictive rights than may be desirable. This is simply to provide a starting point for troubleshooting and fine tuning rights assignments. Where more restrictive rights are required the general recommendation would be to test the desired operation with the least restrictive rights and add restrictions until the operation fails. This article was also written to address permissions requirements for the current Backup Exec version and all its options, though sections of this article may apply to prior or future versions of the product.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.