1 JoJodal

User Rights Assignment Backup Exec Backup

b. If a new account is desired, select New | User, and enter all the appropriate settings such as the account name and password. Click Next twice, and then click Finish. To configure the existing account, locate that account and continue to step c.

c. Open the Users folder, right-click the user, and click Properties

d. Click on the Member Of tab, confirm/add the Administrators

e. If Domain Admins is not the primary group, select Domain Admins and click Set Primary Group

f. Ensure that all other groups besides Administrators, Domain Admins, such as Domain Users are removed. Do not remove Schema Admins or Enterprise Admins (if listed)

g. The account should also have the Log on as a service right. For detailed instructions on granting this user right, see the Related Documents section

2. Go to Control Panel | Administrative Tools | Services

3. Stop all Backup Exec services

4. Enter the correct forest level Backup Exec service account name and password for all Backup Exec services

5. Restart all Backup Exec services

6. After resetting services, open Backup Exec and run a test backup of a remote System State and monitor for success.

Note: If access is not needed at the forest level, the account should be created on the domain controller of the highest level domain requiring backups from the Backup Exec server in question.


1. Login on the Backup Exec server with the Backup Exec Service Account.

2. Open a command prompt console and run the command:  gpresult /Z >C:\permission.txt

3. Open the permission.txt file in the "C:\ Drive" and confirm that the account has all the necessary rights assigned to it. It is recommended that the Backup Exec Services account has ALL of  the following rights. 

Local Administrators group
Domain Admins Group
Act as part of the operating system (For Windows 2000 only)
Backup files and directories
Create a token object
Logon as a batch job (For Windows 2008 only)
Logon as a service
Manage auditing and security log
Restore files and directories
Take ownership of files and other objects

Also make sure the account is not added under :
-Deny logon as a service
-Deny logon as a batch

This is important because the DENY takes precedence over allow.

Error Message

Access denied or Cannot logon to windows system




Required permissions are missing





If the account is missing any of the permissions/rights mentioned above, use the Group Policy Editor or the Local Policy Editor to grant the necessary rights to the account. Use the GPUPDATE commands to update the policy. Log off and Log in again with the BESA. Rerun the gpresult /Z command to confirm that now the rights are assigned.

Applies To

Microsoft Windows



Related Articles

How to define/grant the required user rights/permissions for a Backup Exec Service Account (BESA)

Requirements for the Backup Exec Service Account (BESA).

Leave a Comment


Your email address will not be published. Required fields are marked *