Backing Up in Windows as a Non-Administrative User

1. Introduction

Although TSM/IBM Spectrum Protect can only back up an entire machine's filestore when running under an administrative account, it can be run under a non-administrative account:

2. Backup Operators group

Non-administrative users need to be added to the 'Backup Operators' Group to allow users to bypass security restrictions for the sole purpose of backing-up and restoring files. 

Users must have read-write access to the dsmerror.log, dsmsched.log and dsmwebcl.log files and have read-write permissions on the C:\Program Files\tivoli\tsm\baclient folder in order to avoid the warning message of not being able to write dsmerlog.pru and/or dsmsched.pru. In fact if you grant users read-write access to the baclient folder under C:\Program Files\tivoli\tsm then this is inherited by the files in the folder.

If you have been performing Windows System State backups with an account which is a member of the Administrators group and if you want to subsequently start doing backups or restores with an account which is a member of the Backup Operators group, you must delete the staging directory, C:\adsm.sys, before attempting backups or restores of the System State or System Services as a member of the Backup Operators group.

If you have existing backups from a TSM 5.2 or previous client and you attempt an incremental backup of an existing file space with a member of the Backup Operators group, all of the data will appear as changed and it will be resent to the Tivoli Storage Manager Server.

Members of the Backup Operators group might not be able to back up or restore file data that was encrypted by an Administrator account using the Windows encrypting file system (EFS).

Members of the Backup Operators group do not have the proper authority to update the last access time for files that are encrypted with the Windows encrypting file system (EFS). If EFS files are restored by a member of the Backup Operators group, the last access time will not be preserved.

Members of the Backup Operators group do not have the authority to set up and run the TSM scheduler service.

3. To run a backup from an account belonging to the Backup Operators group

  • Add the account to the Backup Operators group.
  • Ensure that the account has Write rights on the installation folder C:\Program Files\Tivoli\TSM\baclient\.
  • Ensure that the Backup Operators group has the following rights (via [Administrative Tools] > [Local Security Policy] > [Local Policies] > [User Rights Assignment]):
    Back up files and directories
    Restore files and directories
    Manage auditing and security logs

    Note that by default, this group does not have the last of these rights (Manage auditing and security logs), and so it should explicitly be given this.

  • This account should now be able to back up all files local to the machine. However, some Windows system objects such as Active Directory still require administrative privileges to perform backups.

Note that as a consequence of running a backup as a non-administrative user, you will be prompted for the TSM/IBM Spectrum Protect password irrespective of the setting of the PasswordAccess to Generate in the configuration file. This is because the account will not have rights to access the encrypted password in the Registry.

The README notes from IBM on this subject are reproduced in the following document on access rights.

Written by IT Services. Latest revision 5 October 2017