I'm currently working with Windows Server Backup and am trying to run a scheduled backup with an unprivileged account.
-
I want to create a full backup of the server
exchange.dom.example.com. -
I created a new domain user "Backup", which I want to use for this task.
-
I created a DFS storage location called
\\dom.example.com\Backup\Exchangewhere I want to write my backup to. -
It is pointing to an SMB share on the server
storage0.dom.example.comnamed\\storage0.dom.example.com\Exchange -
I gave the user "Backup" full access permissions to the SMB share
\\storage0.dom.example.com\Exchange.
Now, this is where the confusion starts. I added "Backup" to the "Backup-Operators" group on a domain controller, but Server Backup would not let me create the backup job. So I created the job with my own user account and tried to change the scheduled task later on. When I then try to switch the user to "Backup", it tells me "Backup" is not allowed to log onto the system.
So, I added "Backup" to the local "Backup-Operators" group. Now I can create the task just fine. But when it runs, it will fail with error code 2155348039, telling me it wasn't able to write to the target location.
When I add "Backup" to the "Administrators" group, everything runs perfect. So I must assume this is a permissions related issue. But what other permissions do I have to set?
I also double-checked the error with Process Monitor. An ACCESS_DENIED error is captured from wbengine.exe while trying to write to the DFS location \\dom.example.com\Backup\Exchange\TempFile.tmp.
I've also tried to simply set the backup up without DFS at all (by writing directly to the SMB share), that leads to the same issue.
I've yet also started a command prompt as "Backup" on exchange.dom.example.com and pushd my way into \\storage0.dom.example.com\Exchange. This is the only place I can not write to. I can write to any subfolder just fine. Just not into the Exchange.
Best Answer
I commend you for trying to stick to the principle of least privilege. But I think I see I where you got off track. Where you said:
The Builtin container in AD holds groups that are in essence like shared local groups for all the domain controllers. Adding a user to the Backup Operators built-in group in AD Users and Computers only gives that user Backup Operator privileges on domain controllers. As such, it will have no effect on non-DC servers in the domain.
Source: http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
The account you use should be a member of the Backup Operators local group on each server - the one being backup up, and the server hosting the share that will hold the backup. According to the documentation, that alone should allow the Backup user account to access the files necessary to perform the backup, regardless of his file permissions on the files being backed up.
Now being a member of the Backup Operators local group on the computer hosting the file share probably isn't going to give him write permissions to write the backup to the share, so you'll want to give those permissions accordingly. I recommend giving the Backup user full control share permissions, but just read/write permissions at the NTFS level.