Minimum Agent and plug-in permissions

Agent software requires sufficient permissions to back up and restore files. The following table lists the minimum permissions required for specific Agents and plug-ins.

Product

Required Permissions

Windows Agent

The account for running Agent services must:

      belong to the Backup Operators group

      have the “Log on as a service” right

      have the “Replace a process level token” right

To back up files and folders locally, the account must have read/write access to files and folders on the system.

To back up files and folders in UNC locations, the account must have read/write permissions to the UNC locations, including security streams. Security streams might not work in some places unless the account is an Admin equivalent.

If you are using Encrypting File System (EFS), additional permissions are required. After installing the Agent, you must change local security settings or the default domain policy. The service account must have the “Act as part of the operating system” right and the “Log on as a service” right. If the service account does not have the correct permissions, the service is denied access. ACLs for all subsequent files might not be backed up and error messages might appear in the log.

Note: When you install, modify, repair or upgrade an Agent, the Agent installation kit sets or resets permissions on the Agent folder and all child items to full access for the Administrators and Backup Operators groups. Using the Modify option, the user can install Agent services under a local system account or another account that is created manually or automatically. For non-local system accounts, the created account is modified to be part of the Administrators group. If a user requires access to Agent services, the user should be included in the Administrators or Backup Operators group.

Exchange Plug-in

The account specified during the Windows Agent and Plug-in installation must belong to the following groups:

      Exchange Organization Administrators

      Group Policy Owners

      Schema Admins

      Enterprise Admins

      Domain Admins

SQL Plug-in

The account specified during the Windows Agent and Plug-in installation must have the public server role to perform full backups.

The account must have the "sysadmin" role to perform transaction log backups.

Linux Agent

The Linux Agent requires read permissions to back up a file and write permissions to restore a file.

To back up files that belong to the root account, root permissions are required.

Hyper-V Agent

All Hyper-V Agent services run under the LocalSystem account. The account for the Hyper-V Agent cannot be changed.