Group Policy Object User Rights Assignment Settings

Problem

The backup selections show All Resources with nothing is available for selection beneath as shown in Figure 1.
 

Figure 1:

 

Error Message

Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server

 

Cause

[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory.

[ B ] If the BESA does not have the right to Logon as a batch job.

By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.

For more information on this user right, refer to: 
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

[ C ] If the BESA is included in Deny logon as a batch job policy.

'Deny logon as a batch job'determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies. 

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job.

 

[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection.


[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.

 

Solution

[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory.

 

[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights:

  • Act as part of the operating system [ a.k.a. TcbPrivilege ].
  • Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
  • Create a token object (which can be used to access any local resources)    [ a.k.a. TokenRightPrivilege].
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)  [ a.k.a. BatchLogonRight ].
  • Log on as a service  [ a.k.a. ServiceLogonRight ].
  • Manage auditing and security log [ a.k.a. AuditPrivilege ].
  • Restore files and directories (provides rights to restore files and directories  [ a.k.a. RestorePrivilege ].
  • Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].

For more information on any of the above User Rights Assignment please refer to : https://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx.


Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
 

 

For Windows Server 2003 :

1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.

2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).

Figure 2
 

5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.


For Windows Server 2008 :

1. Go to Start | Programs | Administrative Tools | Group Policy Management.

2. From the left pane, expand Domains |Domain_Name | Group Policy Objects.

3. Right click on Default Domain Controllers Policy and click on Edit. 

 

 

Ensure that the group policy being edited is set to Enforced or else the changes would not apply.

4. From the left pane, expand Computer Configuration and go to  Windows Settings | Security Settings | Local Policies | User Rights Assignments.



5. From the right pane, right-click Create a token object.


6. Click "Add user or Group".



7. For the "Add user or Group" window, click Browse.


8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.

9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilige.


6. Repeat steps 1 through 9 for any additional policies.
 

[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even  adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)


Figure 4


Refresh the group policy

Click Start > Run and type gpupdate/target:computer /force ( this will force update the Group Policy

[ D ] Make sure BESA has all the required permissions

1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network Logon Accounts.  Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins.  Remove this account from any groups that do not have full administrative rights. 

2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:

  • Domain Admins (Primary Group)
  • Local Admins or Administrators
  • Remove Domain Users from the list.

Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.

Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
 
[ E ] Make sure all Backup Exec services are started.

 

 

Related Articles

How to check user account permissions

Requirements for the Backup Exec Service Account (BESA).

Local and remote resources are not displayed for backup selection

What rights does the Backup Exec service account need?

Understanding Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures

Although the built-in capabilities for accounts cannot be changed, user rights for accounts can be administered. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because they apply to user accounts, whereas permissions are attached to objects. Keep in mind that changes made to user rights can have a far-reaching effect. Because of this, only experienced administrators should make changes to the user rights policy.

Microsoft defines user rights in two types of categories: Logon Rights and Privileges. These are defined as follows:

  • Logon Right: A user right that is assigned to a user and that specifies the ways in which a user can log onto a system. An example of a logon right is the right to log on to a system remotely.

  • Privilege: A user right that is assigned to a user and that specifies allowable actions on the system. An example of a privilege is the right to shut down a system.

User rights define capabilities at the local level. Although they can apply to individual user accounts, user rights are best administered on a group account basis. This ensures that a user logging on as a member of a group automatically inherits the rights associated with that group. By assigning rights to groups rather than individual users, user account administration can be simplified. When users in a group all require the same user rights, they can be assigned the set of rights once to the group, rather than repeatedly assigning the same set to each individual user account.

User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights and privileges. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. For example a member of multiple groups who is given the "Deny Access to This Computer from the Network" logon right would not be able to log on despite the logon rights granted to the user by other groups. The user would be logged on locally with cached credentials, but when attempting to access the domain resources would receive the following message:

In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group. In this case, the user no longer has the rights assigned to that group.

The following lists show the logon rights and privileges that can be assigned to a user.

Logon Rights:

PRIVILEGES:

  • Access This Computer from Network

  • Act as Part of the Operating System

  • Add Workstations to a Domain

  • Back Up Files and Directories

  • Deny Access to This Computer from the Network

  • Deny Logon as a Batch Job

  • Create Permanent Shared Objects

  • Enable Computer and User Accounts to be Trusted for Delegation

  • Force Shutdown from a Remote System

  • Increase Scheduling Priority

  • Load and Unload Device Drivers

  • Manage Auditing and Security Log

  • Modify Firmware Environment Values

  • Profile System Performance

  • Remove Computer from Docking Station

  • Replace a Process-Level Token

  • Restore Files and Directories

  • Synchronize Directory Service Data

  • Take Ownership of Files or Other Object

  • Read Unsolicited Data from a Terminal Device

Some of the privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all other users, including members of the Backup Operators group. A user privilege, in this case, the right to perform a backup, takes precedence over all file and directory permissions. The privileges, which can override permissions set on an object, are listed below.

  • Take Ownership of Files or Other Object

  • Manage Auditing and Security Log

  • Back Up Files and Directories

  • Restore Files and Directories

  • Debug Programs

  • Bypass Traverse Checking

The Take Ownership of Files or Other Object (TakeOwnership) privilege grants WriteOwner access to an object. Backup and Restore privileges grant read and write access to an object. The Debug Programs (debug) privilege grants read or open access to an object. The Bypass Traverse Checking (ChangeNotify) privilege provides the reverse access on directories. This privilege is given, by default, to all users and is not considered security relevant. The Manage Auditing and Security Log (Security) privilege provides several abilities including access to the security log, overriding access restrictions to the security log. The Event Logger is responsible for enforcing the Security privilege in this context. The TakeOwnership, Security, Backup, Restore, Debug privileges should only be assigned to administrator accounts (See Appendix C, User Rights and Privileges, of the Windows 2000 Security Configuration Guide, for the restrictions of the assignment of privileges to be in accordance with the Evaluated Configuration).

The special user account LocalSystem has almost all privileges and logon rights assigned to it, because all processes that are running as part of the operating system are associated with this account, and these processes require a complete set of user rights.

Appendix C – User Rights and Privileges, of the Windows 2000 Security Configuration Guide, contains a cross-reference table of user rights and privileges to applicable Security Target requirements that should be used as reference when implementing a user rights policy that must address specific ST requirements.

Assigning User Rights

User rights are assigned through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, local policies can be configured and then imported into Active Directory. Local policies can also be configured as part of an existing Group Policy for a site, domain, or organizational unit. When this is done, the local policies will apply to computer accounts in the site, domain, or organizational unit.

User rights policies can be administered as follows:

  1. Log on using an administrator account.

  2. Open the Active Directory Users and Computers tool.

  3. Right-click the container holding the domain controller and click Properties.

  4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.

  5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.

  6. Select User Rights Assignment.

    Note: All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that is not defined in the current container could be inherited from another container.

  7. To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box.

    For a site, domain, or organizational unit, individual user rights can be configured by completing the following steps:

  8. Open the Security Policy Setting dialog box for the user right to be modified.

  9. Select Define these policy settings to define the policy.

  10. To apply the right to a user or group, click Add.

  11. In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups.

The following selection options appear on the Select Users Or Groups box:

  • Name: The Name column shows the available accounts of the currently selected domain or resource.

  • Add: Add selected names to the selection list.

  • Check Names: Validate the user and group names entered into the selection list. This is useful if names are typed in manually and it is necessary ensure that they're actually available.

    1. To access account names from other domains, click the Look In list box. A drop-down list will appear that shows the current domain, trusted domains, and other resources that can be accessed. Select Entire Directory to view all the account names in the directory.

    Note: Only domains that have been designated as trusted are available in the Look In drop-down list. Because of the transitive trusts in Windows 2000, this usually means that all domains in the domain tree or forest are listed. A transitive trust is one that is not established explicitly. Rather, the trust is established automatically based on the forest structure and permissions set in the forest.

    1. After selecting the account names to add to the group, click OK. The Add user or group dialog box should now show the selected accounts. Click OK again.

    2. The Security Policy Setting dialog box is updated to reflect the selections. If a mistake is made, select a name and remove it by clicking Remove.

    1. When finished granting the right to users and groups, click OK.

Top Of Page

Configuring Local User Rights

For local computers, such as Windows 2000 Professional, apply user rights by completing the following steps:

  1. Log in as Administrator.

  2. Open Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.

  3. In the Local Security Settings window, navigate to Local Policies, and then select User Rights Assignment.

  4. To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box. The effective policy for the computer is displayed, but it cannot be changed. However, the local policy settings can be adjusted. Use the fields provided to configure the local policy. Remember that site, domain, and organizational unit policies have precedence over local policies.

  5. The Assigned To column shows current users and groups that have been given a user right. Select or clear the related check boxes under the Local Policy Setting column to apply or remove the user right.

  6. Apply the user right to additional users and groups by clicking Add. This opens the Select Users Or Groups dialog box. Local users and groups can now be added.

  7. To access account names from the domain, click the Look In list box. There should be a list that shows the current machine, the local domain, trusted domains, and other resources that can be accessed. Select the local domain to view all the account names in the domain.

Top Of Page

One thought on “Group Policy Object User Rights Assignment Settings

Leave a Reply

Your email address will not be published. Required fields are marked *