Why is a member of "Backup Operators" group denied from running backup?
If you're absolutely looking for an incremental solution, this answer might not be of much help, but if you can settle for a system image, the wbadmin command-line tool will do: http://technet.microsoft.com/en-us/library/cc742083.aspx
For some reason, the GUI version requires full admin privileges, but the command-line doesn't. Just make sure to run an elevated prompt (Run as admin... on cmd.exe, even though it's only to get Backup operators priviledges). So far though, I haven't been able to do a system image restore with those privileges (admin still required), but I haven't tried much. You can't mount the backup image (.vhd) either, but can open it with third party tools (I use 7-zip, there are probably several others) to recover files.
Related videos on Youtube
M.S. Dousti
Updated on September 18, 2022Comments
-
M.S. Dousti over 1 year
On my Windows 7, I created a user,
BackupUser5
, and added him to the "Backup Operators" group. By design:Members of this group can back up and restore files on a computer, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. Members of this group cannot change security settings.
I ran Windows "Backup and Restore" in elevated mode (elevated with
BackupUser5
permissions). Then, I pressed the "Back up now" button (as shown below). Windows asked for credentials, and I entered the credentials forBackupUser5
. Here's the results:As shown above, I got an access denied message. I don't know why? (Of course, if I use an admin credential, I won't get the error. The question is, why a "Backup Operators" member can't do that.)
-
M.S. Dousti almost 11 years@TheCleaner: The privilege (right)
Log on as a batch job
is given toAdministrators
,Backup Operators
, andPerformance Log Users
. While this implicitly gives the right to myBackupUser5
user, I explicitly gave it this right, logged off, logged on back again, and repeated the procedure, to no avail :( -
Keltari almost 11 yearsTry not running elevated, that might require admin privs that backup operators dont have...
-
M.S. Dousti almost 11 years@Keltari: Sorry, it didn't work either...
-
-
M.S. Dousti almost 11 yearsThe backup process
sdclt.exe
has theSeBackupPrivilege
. The commandgpresult /h out.html
lists group memberships for the current user (which includes Backup Operators), but it does not reveal the user rights assigned to him. I'm pretty sure he has the "Logon as a batch job" right, and is not denied logon as batch job. To confirm, I simply ranwhoami /priv
from an elevated command prompt, which lists all privileges assigned to the user. -
M.S. Dousti almost 11 yearsThanks. I'd like to test your idea, but I need a bit of help. Can you guide me on how to run a backup job remotely? Should I follow the steps in this MS Knowledge Base article?