We are changing some our fileservers to Windows NT. In reading this note I am
still not clear on exactly what a client needs to do to backup their
individual PC to ADSM (on MVS). I guess on their local machine they need to
be set up as a backup operator?
At 11:14 AM 6/14/96 EDT, you wrote:
>The Accessed Denied errors are caused because of insufficient user
>privileges to backup/restore NTFS security information.
>
>Every NTFS file/directory contains a set of four security descriptors:
>
> - Owner and Group Security Identifier (SID)
>
> Identifies what user and primary group owns the file.
>
> Requires Backup/Restore user right if the file/dir is being
> accessed by a user other than the owner.
>
> - Discretionary Access Control List
>
> File/directory permissions (what user are are allowed/not allowed
> to access the object and what access is allowed)
>
> Same user rights required as Group and Owner SID's.
>
> - System Access Control List
>
> Auditing information.
>
> Requires Security Name privilege (Manage Security and Auditing Log
> User Right), regardless of who owns the object.
>
> I think restoring the registry requires Backup/Restore privilege
> as well.
>
> The predefined Backup Operators group posses the Backup and Restore
> user rights, but not the Manage Security Log one, so members of this
> group will NOT be able to access NTFS files with ADSM.
>
> The only predefined group which posses this privilege is Administrator
> and Domain Administrator.
>
> Of course this user right can be added to any user or group.
>
> I could have designed the client to bypass restoring/backing up security
> information as some other NT backup products do, but I chose not to do
> this because I felt that it would somewhat subvert the NT security model.
>
> The client used to only run on Admin/Domain Admin/System accounts, but
> I removed this restriction because it is possible to access FAT files/dirs
> without any special privileges.
>
> Hope this answers your questions ....
>
> Pete Tanenhaus
> ADSM Development
>
>
>------------------------Original Note----------------------------
>
>JIm,
> Not sure if ADSM supports this or not but did you try adding one of the
>users to the BACKUP OPERATOR's group on their local machine ???
>
>Tim Pittson
>tpittson AT himail.hcc DOT com
>
>>----------
>>From: Jim White[SMTP:jwwhite AT SRP DOT GOV]
>>Sent: Thursday, June 13, 1996 9:44 PM
>>To: Multiple recipients of list ADSM-L
>>Subject: Windiws NT file access errors
>>
>>We are moving to Windows NT on the desktop and will be using ADSM for
>>backups. Our
>>users are not local admins, rather they log on to our NT domain with
>>minimal
>>priveleges. This scenario apparently presents some problems for ADSM
>>in terms of file
>>acess. For one thing, they are unable to backup the registry on their
>>machine (error
>>ANS7643E followed by ANS7641E followed by "Active object not found").
>>When "no" is
>>specified for the BACKUPREG option is DSM.OPT, the registry backup
>>problem goes away
>>(naturally), but then all kinds (hundreds) of "Access denied" errors
>>occur when
>>backing up files.
>>
>>Is there someway that a plain ole user logged in to the domain can run
>>ADSM with admin
>>priveleges on their machine to prevent these errors and get a clean
>>backup? Are we
>>going to have to give users local admin authority to solve this? Any
>>other ideas?
>>
>>Thanks in advance,
>>Jim White
>>jwwhite AT srp DOT gov
>>
>
>
|