Avatar of Julian Hansen
Julian HansenFlag for South Africa asked on

Unable to set user privileges in 2008 environment

I am trying to assign the backup and restore privilege to some users on our network. No matter what I do the required privileges are not set.

Steps taken
1. Open gpmc.msc
2. Under Default Domain Policy (or any other policy I create) Edit GPO
3. Policies -> Windows Settings -> Security Settings -> Local Security Policy -> User Rights Assignment I enable the Backup Files and Directories right and Restore Files and Directories right and assign a group to this (I have tried, Domain Users, Authenticated Users, the actual name of an account logging on)
4. Run gpupdate /force on the machine logging onto

When I logon with one of the accounts I want to have the privileges and run a program which dumps the privileges assigned to the user token neither the backup nor the restore privilege is there.

I have successfully done this in a Win2k3 environment without problems.

I even tried copying the Administrator account and trying with that - no joy did not work. The Administrator account has the privileges I am looking for.

Windows Server 2008

Avatar of undefined
Last Comment
Julian Hansen

8/22/2022 - Mon
SOLUTION
LegendZM

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Julian Hansen

1. Tried BU Ops - did not work
2. This is for an app we have written for a client - we have to cater for the possibility they don't want to put users in the Backup Operators group
SOLUTION
tigermatt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Julian Hansen

This is where I think I am missing something.

I have reduced the GPO's down to 2

Default Domain and Default Domain Controllers

The latter is linked under the Domain Controllers object and the server I am testing on is a DC in this object

When I do a rsop on the Domain Controller I get the settings that are in the Default Domain Controllers GPO

When I do a rsop on the user account I am using I get

For backup files -> Remote Desktop Users
For Restore files -> Authenticated Users

Neither of these are enabled on either of the GPO's above and there are no other GPO's defined.

Even though the account I am using is in both of these groups and the account is specified in the Default Domain Controllers GPO for backup files - when I do a dump of privileges when logged on with the test account the only privileges assigned are as follows

Token's privileges (5 total):
  SeShutdownPrivilege (0x13) = disabled
  SeChangeNotifyPrivilege (0x17) = [enabled by default]
  SeUndockPrivilege (0x19) = disabled
  SeIncreaseWorkingSetPrivilege (0x21) = disabled
  SeTimeZonePrivilege (0x22) = disabled
Netman66

First off, where is this User Account located?

When you do an RSoP on the User, it reflects the Policies that influence the User not those in the Default Domain Controllers policy.

If you create a new Security Group, then use the Default Domain Controllers Policy to change both of those Group Policy elements: Backup files and Directories & Restore file and Directories by adding that new group into it you must then reboot the DC in order for that to take effect.

You also need to add this new group to the Log on Locally element in the same GPO, otherwise the user cannot log onto the console session of the server to backup.

Now, add you user account into that Security Group.

As tigermatt states, why not use the Backup Operators group? - it's effectively the same as doing the above except you don't have another redundant group to take care of.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
Julian Hansen

Netman

Thanks for the feedback.

We have tried the above - rebooted the DC several times tried every combination of adding users to groups etc - no effect.

The thing is this is not a problem on Win2k and Windows 2003. Our product has been working perfectly in those environments. It is only in the 2008 environment that we cannot get the rights to stick. The RSoP shows that the policy should be applied but when the user logs on the right is not applied.

The only thing we could think of was that some change in  Win2088 prevents this action on a DC or some other similar reasoning.

Will try the backup operators group and come back to you.
ASKER
Julian Hansen

I need to close this question

I will award points if someone can tell me either way if there has been a security change in Windows 2008 that could cause this problem or if there have been no changes and that if the same procedure works on 2003 then it should work on 2008.

If possible can someone do a test on a Windows 2008 server (DC) and see if a GPO assigned user right of backup and restore propagates to a normal user on logon. I have a test program that will display available rights for a logged on user if that would be usefull (see attached - attached the project rather than a compiled file for obvious reasons)

I want to assign points on this one - but I need something that will at least take me forward from where I am.

I really appreciate the time taken so far to submit answers.

Thanks
gtp.zip
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Julian Hansen

Still have no answer but don't have the time to investigate right now. Thanks to those who responded - I have divided points equally
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.