User Accounts and Passwords

Topics | How To | Related Topics


Overview

CommCell Accounts

MediaAgent Accounts

Active Directory iDataAgent

ContinuousDataReplicator

Data Classification

DB2 iDataAgent

Exchange Agents (Exchange Compliance Archiver, Exchange Database, Exchange Mailbox, Exchange Mailbox Archiver, Exchange Public Folder, Exchange Public Folder Archiver, Exchange Web Folder)

File Archiver for Windows

Image Level iDataAgent

Image Level ProxyHost iDataAgent

Informix iDataAgent

Lotus Domino Server iDataAgents

Microsoft Data Protection Manager iDataAgent

Microsoft SQL Server iDataAgent

Microsoft Windows File System iDataAgent

NAS NDMP Agents (BlueArc, EMC Celerra, Hitachi, NetApp)

NetWare Server iDataAgents (File Archiver for NetWare, GroupWise, NetWare File System, Novell Directory Service)

Oracle iDataAgents (Oracle, Oracle RAC, SAP for Oracle)

ProxyHost iDataAgent

Quick Recovery Agents

Serverless Data Manager iDataAgent

SharePoint Agents (SharePoint Archiver, SharePoint Database, SharePoint Document)

Sybase iDataAgent

Other Considerations

Audit Trail

Important Considerations


Overview

User accounts and passwords can be administered for various components of the product, including the CommServe, MediaAgents, and agents. These accounts and passwords allow you to perform various operations per the affected component. In some cases, user accounts and passwords are established during the install of the specific component, and in most cases they can be changed after the install via various operations from the CommCell Browser. To this latter end, you can use the CommCell Browser to populate either account-like dialog boxes or spaces within other types of dialog boxes with this information.


CommCell Accounts

CommCell Network Password

The CommCell network password is an internal security measure used to ensure that communications occur only between CommCell computers. By default, the software assigns each computer in the CommCell a different password. You can, at any time, define a new CommCell network password for any computer in the CommCell. Although you do not need to know the existing password to define a new one, you do need to have administrative privileges.

The CommCell network password can be changed from the Change System Password dialog box.

The CommCell network password can be changed from the Change Network Password dialog box. See Change the CommCell Network Password for step-by-step instructions.


Automatic Updates

The CommServe uses an account to access updates. This account can be changed from the User name and password dialog box. See Change Account for Accessing Updates for step-by-step instructions.


Maintenance Advantage Page

You can prepopulate user credentials to access the Maintenance Advantage web site automatically. See Change Account for Accessing the Maintenance Advantage Page for step-by-step instructions.


Job Results Directory

On Windows clients, you can use and change an Impersonate User account to access the Job Results Directory for the client. See User Impersonation for Accessing the Job Results Directory for more information.


Domain Controller

You can use and change the account to register a domain controller with the CommServe. To register a domain controller, you must administer Name Servers in the CommCell Browser. You must register a domain controller to authenticate Single Sign On or to configure the Search Console for Content Indexing and Search. See Change Account to Register a Domain Controller with the CommServe for step-by-step instructions.


MediaAgent Accounts

Media Password

The Media Password is used to enforce credentials while using the Media Explorer (DR Tool) to restore data from a media. This password prevents the unauthorized access of data from media. The password is assigned during the installation of the CommServe and can be changed, and it becomes necessary in the case of a disaster. The password is stored as an encrypted string on the On Media Label (OML) of the tape, and the information for the password (including the SQL metadata, etc.) is stored encrypted in the OML of the tape and in the SQL database.

Only one media password is allowed per media. If you changed the media password, it will be effective for the next media. Keep in mind that the existing media can be accessed using only the old media password.

The Media Password can by changed from the Change System Password dialog box. See Change the Media Password for step-by-step instructions.

If you want to provide more security by not allowing anyone else to read and decipher data on the media, you may want to enable Data Encryption.

Index Cache Account

If you have a shared index cache, you will require a user account to access the shared index. See Shared Index Cache for more information.


Active Directory iDataAgent

The Active Directory account information is used to verify the rights to back up and restore data from the Active Directory Server. This information is initially assigned by the user during the installation of the iDataAgent.

If necessary, you can change the options established during installation or setup a non-administrator account from the CommCell Console. (See Change Account for Accessing Application Servers/Filers for step-by-step instructions.)

It is necessary to use an account with sufficient privileges. If a user account does not have sufficient privileges, Active Directory jobs may fail either in whole or part. Consider the following analysis before setting up an account for the Active Directory iDataAgent.

Administrator account Non-Administrator account
As Administrative rights are provided by default, this account does not require additional rights. Must have Administrative rights in the Domain Controller.

You must specify an account that already exists. If the desired account does not exist, you must create it in the Active Directory Domain Controller. The account must be a member of the Domain Administrator group or have Read, Change, and Create Child Objects permissions for the Active Directory domain.

Once the account is created, edit the Active Directory Agent Properties from the CommCell Console and provide one of the following:

  • A valid user account information. Note that this account must exist in the Active Directory Domain.
  • The the correct path to the user using the LDAP path of the desired account as the user name. (e.g., CN=administrator, CN=users, DC=company, DC=com)

Other User Accounts


ContinuousDataReplicator

You can define a user or an account with permissions to execute Pre/Post commands when creating Recovery Points. See Pre-Post User Impersonation for Data Protection and Recovery Operations for more information.


DB2 iDataAgent

To perform data protection and recovery operations, the DB2 iDataAgent requires a user account with one of the following privileges to access the DB2 application and database:

This account must already be set up on the client. Additional accounts should be established by the DB2 database administrator. To establish additional accounts on your own, consult the appropriate DB2 application documentation.

The user account can be added or modified from the CommCell Console using Instance Properties or Backup Set Properties. This allows you to regulate the number of databases accessed per specified user. See Create/Modify an Instance, Configure a Backup Set/Archive Set, and Change Account for Accessing Databases/Applications for step-by-step instructions.

Other User Accounts

The following pertains to DB2 on Windows:


Data Classification

See File Archiver for Windows.


Exchange Agents

To perform data protection and recovery operations, various Exchange agents require a user account to log on to the related server to access the data. The affected agents include: Exchange Mailbox, Exchange Public Folder, Exchange Compliance Archiver, Exchange Mailbox Archiver and Exchange Public Folder Archiver. The account must have Exchange administrator privileges.

This account information is input during the Exchange agent install.

The account must already be set up on the client. Additional accounts should be established by the Exchange database administrator. To establish additional accounts on your own, consult the appropriate Exchange application documentation.

The user account can be added or modified from the CommCell Console at the agent level. See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Other User Accounts


File Archiver for Windows

For File Archiver for Windows with Data Classification, you can specify a user account to authenticate against the Active Directory domain users whose files you want to archive. See Use Users and User Groups - Data Classification Enabler for an overview.

Other User Accounts


Image Level iDataAgent

The following pertain to Image Level on Windows:


Image Level ProxyHost iDataAgent


Informix iDataAgent

To perform data protection and recovery operations, the Informix iDataAgent requires a user account to access the Informix application and database. This account must have administration privileges (default) or Informix administration privileges.

The account must already be set up on the client. Additional accounts should be established by the Informix database administrator. To establish additional accounts on your own, consult the appropriate Informix application documentation.

The user account can be added or modified from the CommCell Console using Instance Properties. See Create/Modify an Instance and Change Account for Accessing Databases/Applications for step-by-step instructions.


Lotus Domino Server iDataAgents


Microsoft Data Protection Manager iDataAgent

You can define an account with permissions to execute Pre/Post commands for the agent's archive, backup, or volume creation jobs. See Pre-Post User Impersonation for Data Protection and Recovery Operations for more information.


Microsoft SQL Server iDataAgent

To perform data protection and recovery operations, the SQL Server and SQL Server 2005 iDataAgents require a user account to access the SQL Server application and database. The account must have the following privileges:

The account must already be set up on the client. Additional accounts should be established by the SQL database administrator. To establish additional accounts on your own, consult the appropriate Microsoft SQL Server application documentation.

The user accounts can be added or modified from the CommCell Console using Instance Properties. See Create/Modify an Instance and Change Account for Accessing Instances for step-by-step instructions.

Other User Accounts


Microsoft Windows File System iDataAgent

Considerations When Using a Windows User to Run Operations

For an overview, see Services: Running Services Using a Windows User.

Backup

Generally, to run backups , the user must be either an administrator or a member of the Backup Operators group. Each such member acquires backup rights. Backup operators (or Service Users) are designed to have full control to the registry and the install folder.

To back up the System State data, the service user must be either an administrator or a backup operator. Also, system state backups require backup operator group permissions on the HKLM\SYSTEM\SETUP key to enable system-protected file backups.

The 1-Touch component of system state backups will fail whenever you run services as a backup operator. As a workaround, either skip backing up 1-Touch information during system state backups by using the SKIP_1TOUCH_BACKUP registry key, or run the backups using the local system account.

An administrator or a backup operator in a local group can back up any file and folder on the local computer to which the local group applies. An administrator or backup operator on a domain controller can back up any file and folder on any computer in the domain or any computer in a domain where a two-way trust relationship exists.

To back up files if you are not an administrator or a backup operator, you must be the owner of the files and folders you want to back up or have one or more of the following permissions for the files and folders you want to back up: Read, Read and execute, Modify, or Full Control.

You must enable backup operator access to the registry and directory.

To add a user to the Backup Operators Group on a domain controller, use Active Directory users and computers.

Also, on a domain controller, you may need to modify the Domain Controller Security Policy since a domain controller overrides the Local Security Policy. In addition, when you set the policy for DC security policy, this policy adds itself to the local policy as an "Effective Policy Setting". This means the domain controller is using a policy that has overwritten the Local Policy Setting.

See Set Up or Modify User Permissions and Rights for more information.

Restore

Generally, only restore rights are required to restore files. For a Windows 2000 Server, these rights are inherited by backup operators. For a Windows 2003 Server, you must add backup operators to the 'Restore Files and Folder' Local Security Policy.

To restore System State data, one of the following must be true: the service user is a local administrator, or Services will be run as a local system. See Set Up or Modify User Permissions and Rights for more information.

Set Up or Modify User Permissions and Rights

See the following procedures as appropriate:


NAS NDMP Agents

To perform data protection and recovery operations, the NAS NDMP agents require a user account to log on to the related file server to access the data. The user account depends upon the file server being accessed.

Where appropriate, the user account can be added or modified from the CommCell Console at the agent level. See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Other User Accounts

The following pertains to File Share Archiver:


NetWare Server iDataAgents

To perform data protection and recovery operations, the NetWare Server agents require a user account to log on to the related server to access the data. This account information is input during the NetWare Server iDataAgent install.

This account must already be set up on the client. Additional accounts should be established by the NetWare Server administrator. To establish additional accounts on your own, use the appropriate NetWare administration tool or consult the appropriate NetWare Server application documentation.

The user account can be added or modified from the CommCell Console at the agent level. See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Other User Accounts


Oracle iDataAgents

To perform data protection and recovery operations, the Oracle and SAP for Oracle iDataAgents require two user accounts. The Oracle RAC iDataAgent requires the latter of these user accounts. These accounts include:

The above mentioned accounts must already be set up on the client. Additional accounts (except Impersonate User) should be established by Oracle database administrator. To establish additional accounts on your own, consult the appropriate Oracle application documentation.

See Create/Modify an Instance, Change Instance Details, and Change Account for Accessing Databases/Applications for step-by-step instructions.

Other User Accounts

The following pertain to Oracle on Windows:


ProxyHost iDataAgent


Quick Recovery Agents

Exchange

To perform data protection and recovery operations, the Quick Recovery Agent with Exchange requires a user account to log on to the related server to access the data. The account must have either of the following privileges:

This account information is input during the Exchange agent install.

The account must already be set up on the client. Additional accounts should be established by the Exchange database administrator. To establish additional accounts on your own, consult the appropriate Exchange application documentation.

You can select an Exchange application and change the associated user account from the CommCell Console at the agent level. Also, if you are including another Exchange Server, you can change the Exchange Server Name. See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Also, consider the following:

Microsoft SQL Server

To perform data protection and recovery operations, the Quick Recovery Agent with SQL Server requires a user account to access the SQL Server application and database. The account must have the following privileges:

The account must already be set up on the client. Additional accounts should be established by the SQL database administrator. To establish additional accounts on your own, consult the appropriate Microsoft SQL Server application documentation.

You can select a SQL Server application and change the associated user account from the CommCell Console at the agent level. See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Also, consider the following:

NAS

For the Quick Recovery Agent with NAS, you can change from the agent level the account for discovering network drives. This account has permissions on both the NAS data server and the Quick Recovery Agent machine. In effect, this account also has permissions on the CIFS shares that are backed up.

Since the NAS data server and the Quick Recovery Agent machine can never be the same machine, the account is a network (and not a local) account. Therefore, since the account has permissions on both machines, the machines must either be in the same domain or have an appropriate trust set up.

See Change Account for Discovering Network Drives for step-by-step instructions.

Oracle

To perform data protection and recovery operations, the Quick Recovery Agent with Oracle requires an Impersonate User account with administrator privileges to access the Oracle application and database. The account must already be set up on the client.

You can add/select an Oracle instance and add/modify the associated user account from the CommCell Console at the agent level. See Change Account for Accessing Databases for step-by-step instructions.

Other User Accounts


Serverless Data Manager iDataAgent

You can define an account with permissions to execute Pre/Post commands for the agent's archive, backup, or volume creation jobs. See Pre-Post User Impersonation for Data Protection and Recovery Operations for more information.


SharePoint Agents

To perform data protection and recovery operations, the SharePoint agents require a user account to log on to the related file server to access the data. This account must have the required rights to create and modify SharePoint databases.

For the SharePoint iDataAgents and SharePoint Archiver, consider the following.

The Base Services of the client will run under the user account that is specified. Use an account that meets this criteria:

In addition, this account must have "Log on as Service" permissions to ensure the Communication (CVD) Services will start. For more information on Base and Communication (CVD) Services, see Services.

Refer to the Knowledge Base article, ID #10573, Galaxy Service Account User Information for Windows 2003 and Window Server 2003 clients available from the Maintenance Advantage web site.

This account must already be set up on the client. Additional accounts should be established by the SharePoint database administrator. To establish additional accounts on your own, consult the appropriate SharePoint application documentation.

The user account can be added or modified from the CommCell Console at the agent level.

For SharePoint Database, you can change:

For SharePoint Document, you can change the Administrator Account.

See Change Account for Accessing Application Servers/Filers for step-by-step instructions.

Other User Accounts


Sybase iDataAgent

To perform data protection and recovery operations, the Sybase iDataAgent requires two user accounts. They are:

These accounts must already be set up on the client. Additional accounts should be established by the Sybase database administrator. To establish additional accounts on your own, consult the appropriate Sybase application documentation.

The user accounts can be added or modified from the CommCell Console using Instance Properties. See Create/Modify an Instance and Change Account for Accessing Instances for step-by-step instructions.


Other Considerations

Please note the following issues.


Audit Trail

The following operations are recorded in the Audit Trail, if Audit Trail is enabled:

See Audit Trail for more information.


Important Considerations

If you are getting invalid password errors and you are sure that your password is correct, try changing your password.

Back To Top