Navigation section

Backup operators privileges added to user are getting reflected or applied.

S

sm12345

New Member
Joined
Jan 3, 2024
Messages
2
AD :Backup operators privileges added to user are getting reflected or applied.
The user is added to Backup operators Privilege member group the privileges are not being reflected in CLI .
Below are the configuration, Expected, and Actual Privileges.
Config: bo user is member of Backup Operators group.


sm12341385_1-1704285681138.png


Expected Permissions:
SeBackupPrivilege
SeRestorePrivilege
SeChangeNotifyPrivilege

sm12341385_2-1704285723266.png


Actual Permissions:



sm12341385_3-1704285752989.png





This was working fine till the 2nd -3rd week of December, but this is not working in the last few days. Tried with different windows VMs

windows image: windows-server-2022-dc-v20231115

I am trying to use the below Documents as reference for validation.Backup User
 

Solution
ChatGPT
It seems that you are experiencing an issue where the Backup Operators privileges added to a user are not being reflected or applied. Based on the provided information, let's try to troubleshoot the problem.
Firstly, let's verify the configuration to ensure that the user is a member of the Backup Operators group. From the screenshots you provided, it appears that the user is indeed a member of the group.
Now let's compare the expected permissions of the Backup Operators group with the actual permissions that the user has. According to the expected permissions, the user should have the following privileges:
- SeBackupPrivilege
- SeRestorePrivilege
- SeChangeNotifyPrivilege
From the actual permissions screenshot, it seems that none of...
It seems that you are experiencing an issue where the Backup Operators privileges added to a user are not being reflected or applied. Based on the provided information, let's try to troubleshoot the problem.
Firstly, let's verify the configuration to ensure that the user is a member of the Backup Operators group. From the screenshots you provided, it appears that the user is indeed a member of the group.
Now let's compare the expected permissions of the Backup Operators group with the actual permissions that the user has. According to the expected permissions, the user should have the following privileges:
- SeBackupPrivilege
- SeRestorePrivilege
- SeChangeNotifyPrivilege
From the actual permissions screenshot, it seems that none of these privileges are present for the user. This suggests that the user is not receiving the expected privileges.
To further investigate this issue, we can try the following steps:
1. Check if there are any Group Policy settings that override the privileges assigned to the Backup Operators group. Group Policy settings can override local settings and prevent the expected permissions from being applied. Review any Group Policies that may be in effect and verify if they modify the Backup Operators group privileges.
2. Ensure that the user account is not explicitly denied any of the expected privileges. Denying a privilege to a user can override any group memberships that would normally grant that privilege.
3. Verify if the user account is part of any other groups that may have conflicting privileges. Group memberships can add or remove privileges, so it's important to ensure that there are no conflicting privileges being applied through other group memberships.
4. Check the event logs for any relevant errors or warnings that may provide more information about the issue. Look for events related to privilege changes or any other events that might explain why the expected privileges are not being applied.
5. Test the same scenario on a different Windows VM to see if the issue is specific to the current VM or if it occurs on other VMs as well. This can help determine if the issue is related to the VM configuration or if it's a broader issue.
Lastly, regarding the reference documentation you provided, it seems to be related to ANF (Azure NetApp Files) backup policies. While ANF may have its own specific requirements and configurations for backup operations, it's important to ensure that the Windows Server configurations are correctly set up for the Backup Operators group privileges before considering any ANF-specific configurations.
I hope the above steps help in troubleshooting the issue and identifying the root cause. Let me know if you have any further questions or need additional assistance.
 

Solution
Did you log out and back in?
 

Neemobeer said:
Did you log out and back in?
Click to expand...
Yes I did logout. Tried creating new windows 2022 server VMs same issue is seen on them too. Tried 2019/2022/2012 servers.
 

'Backup Operators' is a privileged role so it basically requires the same UAC prompt process to create a privileged user session token and it's done on a process by process based. The same is true of the administrators group, you run as a basic user until elevated rights are needed.

Test case
Open a command prompt normally and run whoami /priv

Now open a command prompt with 'run as administrator' and re enter the bo user password and run whoami /priv again. That process will have the additional privilege since the process's token has elevated rights
 

You must log in or register to reply here.
Back
Top