ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

required NT privileges

1996-06-14 11:14:10
Subject: required NT privileges
From: "Pete Tanenhaus, ADSM Client Development" <pt AT VNET.IBM DOT COM>
Date: Fri, 14 Jun 1996 11:14:10 EDT 
The Accessed Denied errors are caused because of insufficient user
privileges to backup/restore NTFS security information.

Every NTFS file/directory contains a set of four security descriptors:

   - Owner and Group Security Identifier (SID)

     Identifies what user and primary group owns the file.

     Requires Backup/Restore user right if the file/dir is being
     accessed by a user other than the owner.

  -  Discretionary Access Control List

     File/directory permissions (what user are are allowed/not allowed
     to access the object and what access is allowed)

     Same user rights required as Group and Owner SID's.

  -  System Access Control List

     Auditing information.

     Requires Security Name privilege (Manage Security and Auditing Log
     User Right), regardless of who owns the object.

  I think restoring the registry requires Backup/Restore privilege
  as well.

  The predefined Backup Operators group posses the Backup and Restore
  user rights, but not the Manage Security Log one, so members of this
  group will NOT be able to access NTFS files with ADSM.

  The only predefined group which posses this privilege is Administrator
  and Domain Administrator.

  Of course this user right can be added to any user or group.

  I could have designed the client to bypass restoring/backing up security
  information as some other NT backup products do, but I chose not to do
  this because I felt that it would somewhat subvert the NT security model.

  The client used to only run on Admin/Domain Admin/System accounts, but
  I removed this restriction because it is possible to access FAT files/dirs
  without any special privileges.

  Hope this answers your questions ....

  Pete Tanenhaus
  ADSM Development


------------------------Original Note----------------------------
JIm,
JIm,
        Not sure if ADSM supports this or not but did you try adding one of the
users to the BACKUP OPERATOR's group on their local machine ???

Tim Pittson
tpittson AT himail.hcc DOT com

>----------
>From:  Jim White[SMTP:jwwhite AT SRP DOT GOV]
>Sent:  Thursday, June 13, 1996 9:44 PM
>To:    Multiple recipients of list ADSM-L
>Subject:       Windiws NT file access errors
>
>We are moving to Windows NT on the desktop and will be using ADSM for
>backups.  Our
>users are not local admins, rather they log on to our NT domain with
>minimal
>priveleges.  This scenario apparently presents some problems for ADSM
>in terms of file
>acess.  For one thing, they are unable to backup the registry on their
>machine (error
>ANS7643E followed by ANS7641E followed by "Active object not found").
>When "no" is
>specified for the BACKUPREG option is DSM.OPT, the registry backup
>problem goes away
>(naturally), but then all kinds (hundreds) of "Access denied" errors
>occur when
>backing up files.
>
>Is there someway that a plain ole user logged in to the domain can run
>ADSM with admin
>priveleges on their machine to prevent these errors and get a clean
>backup? Are we
>going to have to give users local admin authority to solve this?  Any
>other ideas?
>
>Thanks in advance,
>Jim White
>jwwhite AT srp DOT gov
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  LICENSEAUDITPERIOD, David Bohm
Next by Date:  Re[2]: Front-end for ADSM/MVS, Christian Moser
Previous by Thread:  LICENSEAUDITPERIOD, Julie Phinney
Next by Thread:  Re: required NT privileges, Kelly Root
Indexes:  [Date] [Thread] [Top] [All Lists]