Allowing non-administrators to use Backup Exec

Some organisations may want to allow users to administer Backup Exec without having full administrative rights. Don't worry, it's easy…

In a small organisation, it's likely that the Backup Exec administrator is also an administrator for the domain, and they either have Domain Administrator privileges, or simply use the Administrator account. But what if you're a larger organisation, with dedicated backup operators? Or what if you want to maintain auditability? Or what if you have administrative staff and you want them to record tape movements to and from your vault?

The simple solution is to add the required user to the Backup Operators security group. This is a default group in a Windows Server domain. Users who are members of this group have permissions to backup and restore files, and reset security, so it should be used with caution. However Backup Operators don't have full domain administrator permissions, so they can't (for example) reset user passwords.

If the users are connecting using the Backup Exec Administrator Console from their machine, no further steps are needed.

If the users are connecting to the Backup Exec media server (which is not a domain controller) using Remote Desktop, then the user (or the Backup Operators security group) will need to be added to the list of users allowed to log in remotely.

If the users are connecting to the Backup Exec media server (which is a domain controller), then additional steps (not listed here) are required, as domain controllers have additional security policies by default.

Note that due to being logged on as an unprivileged account, users may find that they are at times prompted for logon details of the Backup Exec logon account. However, this tends to be when creating selection lists and restoring.

Note that some people have commented that this simply doesn't work. All I can say is that it works for me!