Backing Up in Windows as a Non-Administrative User

1. Introduction

Although TSM/IBM Spectrum Protect can only back up an entire machine's filestore when running under an administrative account, it can be run under a non-administrative account in one of two ways.

2. Under a normal user account (32-bit XP only)

  • Give the relevant account Read & Execute, Read and Write rights on the installation folder (default C:\Program Files\Tivoli\TSM\baclient\) so that errors can be logged in the error log file dsmerror.log. Note that by default, users do not have the Write permission set on this folder.
  • Add the following option to the dsm.opt configuration file in the installation folder:
    SkipNTPermissions Yes
  • This will allow the user account only to back up files in directories and on drives to which they have access rights. Other files, system objects (e.g. the registry) etc. cannot be backed up. NT file attributes will not be backed up with files and thus will be lost when the files are restored.

3. To run a backup from an account belonging to the Backup Operators group (XP and higher)

  • Of the two possible methods of backing up Windows from a non-administrative account, this is the only one that will work in Windows Vista or higher (except that it does not work in Vista Home, which lacks the Backup Operators administrative group). Please see additionally Backing up Windows Vista and higher as a non-administrative user on this topic.
  • Add the account to the Backup Operators group.
  • Ensure that the account has Write rights on the installation folder C:\Program Files\Tivoli\TSM\baclient\.
  • Ensure that the Backup Operators group has the following rights (via [Administrative Tools] > [Local Security Policy] > [Local Policies] > [User Rights Assignment]):
    Back up files and directories
    Restore files and directories
    Manage auditing and security logs

    Note that by default, this group does not have the last of these rights (Manage auditing and security logs), and so it should explicitly be given this.

  • This account should now be able to back up all files local to the machine. However, some Windows system objects such as Active Directory still require administrative privileges to perform backups.

Note that as a consequence of running a backup as a non-administrative user, you will be prompted for the TSM/IBM Spectrum Protect password irrespective of the setting of the PasswordAccess to Generate in the configuration file. This is because the account will not have rights to access the encrypted password in the Registry.

The README notes from IBM on this subject are reproduced in the following document on access rights.

Written by IT Services. Latest revision 11 August 2017