How to define/grant the required user rights/permissions for a Backup Exec Service Account (BESA)

Article: 100002431
Last Published: 2021-05-27
Ratings: 2 0
Product(s): Backup Exec

Problem

Backup Selection browse fails with error "Failure to browse server"

Or

The backup selections show All Resources with nothing is available for selection beneath as shown in Figure 1.
 
Figure 1:

 

Error Message

Backup Selection browse fails with error "Failure to browse 'server'. Failed to log on to Microsoft Windows."

Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server

 

Cause

[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match to the password set in Active Directory or for the local administrator user account section.

[ B ] If the BESA does not have the right to Logon as a batch job.

By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.

For more information on this user right, refer to: 
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

[ C ] If the BESA is included in Deny logon as a batch job policy.

'Deny logon as a batch job' determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies. 

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job.
 
[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection.


[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.

 

Solution
 

Note: Backup Exec Service account can be set to a user with local administrator rights. 

[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory or that of the Local Administrator user account.
 
[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights:
  • Act as part of the operating system [ a.k.a. TcbPrivilege ].
  • Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
  • Create a token object (which can be used to access any local resources)    [ a.k.a. TokenRightPrivilege].
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)  [ a.k.a. BatchLogonRight ].
  • Log on as a service  [ a.k.a. ServiceLogonRight ].
  • Manage auditing and security log [ a.k.a. AuditPrivilege ].
  • Restore files and directories (provides rights to restore files and directories  [ a.k.a. RestorePrivilege ].
  • Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].
For more information on any of the above User Rights Assignment please refer to : https://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx.

Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
 
Veritas Quick Assist (VQA) can test the Backup Exec Service Account permissions and group memberships for you.
Click here to download the tool:  https://www.veritas.com/support/en_US/vqa

 

For Windows 2016 / 2019

For Windows 2008 / 2008 R2 / 2012 / 2012 R2

For Windows 2003 / 2003 R2

 

For Windows 2016 / 2019 :

1. Go to Start | Programs | Administrative Tools | Group Policy Management.

2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.

3. Right click on Default Domain Controllers Policy and click on Edit.

Ensure that the group policy being edited is set to Enforced or else the changes would not apply.

4. From the left pane, expand Computer Configuration and go to  Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.

5. From the right pane, right-click Log on as a batch Job --> Properties.

6. Click Add user or Group.

7. For the Add user or Group window, click Browse

8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.

9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Log on as a batch Job" privilege.


10. Repeat steps 1 through 9 for any additional policies.
 

[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even  adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue.

Refresh the group policy

Click Start > Run and type gpupdate /target: computer /force (this will force update the Group Policy

 

For Windows 2008 / 2008 R2 / 2012 / 2012 R2 :

1. Go to Start | Programs | Administrative Tools | Group Policy Management.

2. From the left pane, expand Domains | Domain_Name | Group Policy Objects.

3. Right click on Default Domain Controllers Policy and click on Edit. 

Ensure that the group policy being edited is set to Enforced or else the changes would not apply.

4. From the left pane, expand Computer Configuration and go to  Windows Settings | Security Settings | Local Policies | User Rights Assignments.



5. From the right pane, right-click Create a token object.


6. Click "Add user or Group".



7. For the "Add user or Group" window, click Browse.


8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.

9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilege.


6. Repeat steps 1 through 9 for any additional policies.
 

[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even  adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)


Figure 4


Refresh the group policy

Click Start > Run and type gpupdate /target: computer /force ( this will force update the Group Policy


For Windows 2003 / 2003 R2 :

1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.

2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).

Figure 2
 

5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.
 

[ D ] Make sure BESA has all the required permissions

1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under NetworkLogon Accounts.  Make sure it is a member of the local administrator group (built in admins) if applicable, and/or domain admins.  Remove this account from any groups that do not have full administrative rights. 

2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups only if a domain admin can be used else in case of a non DC a local user account part of the Local administrators group can also be used.

  • Domain Admins (Primary Group)
  • Local Admins or Administrators
  • Remove Domain Users from the list.

Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.

Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
 
[ E ] Make sure all Backup Exec services are started.

 

 

Was this content helpful?