The previous subsection reviewed the domain policy configured by default for all new domains. This subsection reviews the default DC policy, which specifies security settings for all machines in the DC OU. By default, Windows 2000 DC computers are added to the DC OU.
In this subsection, the Group Policy snap-in is demonstrated rather than the Active Directory Users and Computers snap-in as the path to the default DC GPO.
To load the Group Policy MMC snap-in:
Click Start, click Run, and in the text box, type mmc /s and then click OK.
From the Console menu, select Add/Remove Snap-in, and click the Add button.
From the Available Standalone Snap-in list, select Group Policy, and click the Add button.
In the Select Group Policy Object dialog box, click the Browse button.
The default GPO selected when the group policy snap-in is added is the one for the local computer. Double-click the GPO for the DC OU as shown in below.
Note that the default domain policy (reviewed in the previous subsection) is also listed here, as well as a folder containing Group Policy objects for the DC OU.
In the Browse for a Group Policy Object dialog box, double-click the folder containing the GPOs associated with the DC OU.
Select the Default Domain Controllers Policy, and click OK.
In the Select Group Policy Object dialog box, click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
To review security policies in the default DC GPO
In the Default Domain Controllers Policy console, expand Computer Configuration; navigate to Windows Settings, then to Security Settings, and then to Account Policies.
Select Password Policy.
In the results pane, notice that a Password Policy is not defined in the default DC GPO, because password policy is defined for the entire domain in the default domain GPO.
In the Console, navigate to Local Policies, and select User Rights Assignments.
In the results pane, note that user rights are configured in the default DC GPO. As seen in the previous subsection, user rights are not defined in the default domain GPO.
Top Of Page
The backup selections show All Resources with nothing is available for selection beneath as shown in Figure 1.
Connection with server failed. Hit <F5> to retry when trying to edit/create a backup job on Windows 2008 server
[ A ] The password set for the Backup Exec System Logon Account (Network -> Logon Accounts) or the Backup Exec Service Account (BESA) does not match the password set in Active Directory.
[ B ] If the BESA does not have the right to Logon as a batch job.
By default this policy is applied to Administrators and the Backup Operators group. This user right is defined in the default Domain Controller's Group Policy object (GPO) and in the Local Security Policy of workstations & servers and it allows a user to be logged on by means of a batch-queue facility.
For more information on this user right, refer to:
[ C ] If the BESA is included in Deny logon as a batch job policy.
'Deny logon as a batch job'determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, there are no users denied logon as a batch job.
[ D ] This issue may occur due to lack of permissions. If the Backup Exec Logon Account is not a member of local administrators or is a member of some group that has restrictions, a connection cannot be made to the resources available for selection.
[ E ] This issue may occurs if the Remote Agent for Windows Server (RAWS) service is stopped. As the Job engine service is dependent on RAWS, the Job Engine service will also be stopped.
[ A ] Reset the password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (Tools > Backup Exec services > Services Credentials) to match the password set in Active Directory.
[ B ] All Backup Exec (tm) Services on the media server, with the exception of the Backup Exec Remote Agent, run in the context of a user account configured for Backup Exec System Services. This account can be created during the Backup Exec installation, or an existing user account can be used. To create a service account for Backup Exec during installation, supply a user name and password when prompted. The account designated for Backup Exec services, whether it is a new account or an existing user account, will require the following rights:
- Act as part of the operating system [ a.k.a. TcbPrivilege ].
- Backup files and directories (provides rights to backup files and directories) [ a.k.a. BackupPrivilege ] .
- Create a token object (which can be used to access any local resources) [ a.k.a. TokenRightPrivilege].
- Log on as a batch job (allows a user to be logged on by means of a batch-queue facility) [ a.k.a. BatchLogonRight ].
- Log on as a service [ a.k.a. ServiceLogonRight ].
- Manage auditing and security log [ a.k.a. AuditPrivilege ].
- Restore files and directories (provides rights to restore files and directories [ a.k.a. RestorePrivilege ].
- Take ownership of files and other objects [ a.k.a TakeOwnershipPrivilege ].
For more information on any of the above User Rights Assignment please refer to : https://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx.
Note: Due to security implementations in Microsoft Small Business Server, the service account must be "Administrator".
For Windows Server 2003 :
1. On the domain controller, click Start | Programs | Administrative Tools | Active Directory Users and Computers.
2. From the left pane, expand the Domain name, and right-click Domain Controllers organizational unit, and then select Properties.
3. Select the Group Policy tab.
4. Select the Default Domain Controllers Policy and then click Edit (Figure 2).
5. From the left pane, expand Computer Configuration and go to Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignments.
For Windows Server 2008 :
1. Go to Start | Programs | Administrative Tools | Group Policy Management.
2. From the left pane, expand Domains |Domain_Name | Group Policy Objects.
3. Right click on Default Domain Controllers Policy and click on Edit.
Ensure that the group policy being edited is set to Enforced or else the changes would not apply.
4. From the left pane, expand Computer Configuration and go to Windows Settings | Security Settings | Local Policies | User Rights Assignments.
5. From the right pane, right-click Create a token object.
6. Click "Add user or Group".
7. For the "Add user or Group" window, click Browse.
8. Type the desired user account to act as your Backup Exec System Account, then click Browse and then click Ok.
9. Back in the "Group Policy Management Editor" note that your Backup Exec System Account now has "Create a token object" privilige.
6. Repeat steps 1 through 9 for any additional policies.
[ C ] Make sure the BESA is NOT included in the 'Deny Logon as a Batch' or 'Deny Logon as a service' because the deny supersedes the allow and even adding the account under 'Logon as a Batch' or 'Logon as a service' would not resolve the issue. (Figure 4)
Refresh the group policy
Click Start > Run and type gpupdate/target:computer /force ( this will force update the Group Policy)
[ D ] Make sure BESA has all the required permissions
1. Check the permissions for the Backup Exec System Account ( BESA ) which shows under Network - Logon Accounts. Make sure it is a member of the local administrator group (built in admins) if applicable, and domain admins. Remove this account from any groups that do not have full administrative rights.
2. If performing the above steps do not resolve the issue, create a new user account in active directory and add it to the following groups:
- Domain Admins (Primary Group)
- Local Admins or Administrators
- Remove Domain Users from the list.
Then use this new account for Backup Exec services, add it under Network - Logon Accounts and make that as a default account.
Note: This applies to Windows Server 2008/R2 (Domain controller and member servers) as well.
[ E ] Make sure all Backup Exec services are started.
How to check user account permissions
Requirements for the Backup Exec Service Account (BESA).
Local and remote resources are not displayed for backup selection
What rights does the Backup Exec service account need?
Understanding Logon Accounts and required User Rights Assignment to resolve connection, backup or restore failures