V11 SP8
Loading...

User Account and Password Management - Advanced

Table of Contents

Overview

User accounts and passwords can be modified for CommServe, MediaAgents, and agents. In most cases, user accounts and passwords are established during the install of the specific component. If necessary, it can be changed after the install from the CommCell Console. The following sections describe the user account information that can be modified.

CommCell

Changing the CommCell Administrator Password

You may need to update the administrator password when you have an aging policy for passwords or when a new administrator decides to use the same account as the former administrator.

Use the following steps to change the password for the CommCell administrator:

  1. From the CommCell Browser, go to Security > CommCell Users.
  2. Right-click the administrator account and click Properties.

    The User Properties dialog box appears.

  3. Select the Change Password check box.
  4. In the Password field, enter the password and in the Confirm Password field, re-enter the password.

    Note: To set strength requirements for passwords, see Setting Strength Requirements for User Passwords.

  5. Click OK.

    The Enter Password dialog box appears.

  6. Enter the current administrator password.
  7. Click OK.

SQL Accounts Created during CommServe Installation

When you install the CommServe, the software creates specific SQL accounts to import Dynamic-Link Library (DLL) files to the CommServe database. This applies for any CLR DLL files in the SQL Server.

The software creates the following SQL accounts:

  • CVDBCLRLogin
  • CVDM2DBCLRLogin
  • CVDM2XMLMsgLogin
  • CVManagedLoggerLogin

As these accounts are used internally by the software, you cannot use them to log on to the CommCell. By default, these accounts have no password.

CommCell Network Password

The CommCell network password is an internal security measure used to ensure that communications occur only between CommCell computers. By default, the software assigns each computer in the CommCell a different password. You can, at any time, define a new CommCell network password for any computer in the CommCell. Although you do not need to know the existing password to define a new one, you do need to have administrative privileges.

Use the following steps to change the CommCell network password:

  1. From the CommCell Console toolbar, on the Home tab, click Control Panel.
  2. In the CommCell area, click System.
  3. Click the Change Password tab and select Change Network Password.
  4. Click the Change password for computer list, and select the name of the computer whose password you want to change.
  5. In Password, enter the new network password, then re-enter it in Confirm Password.
  6. Click OK.

Changing the Network Password for One or More Clients from the Command Line

Follow these steps to update the network password:

  1. On the CommServe computer, change to the software installation base directory for the instance to test:

    cd software_installation_path/Base

  2. Run the ChangeNetworkPwd command:

    ChangeNetworkPwd [-listAllWeak | -updateAllWeak | clientName] -vm instance_name

    where:

    • -listAllWeak is the option to list all the clients that need a stronger password.
    • -updateAllWeak is the option to update all the clients in the CommServe instance that need a stronger password.
    • clientName is the name of one client to update the password on.
    • (Optional) -vm is the name of the instance where the CommServe software is running. If not specified, Instance001 is used.

    For example, this command will update the password for client1:

    ChangeNetworkPwd client1 -vm instance002

  3. The password is updated for the client.
  4. To verify the operation, change to the software_installation_path\Log Files folder and review the ChangeNetworkPwd.log file.

MediaAgent

Media Password

The Media Password is used to prevent unauthorized access of data from media when using the Media Explorer (DR Tool) to restore data. The password is stored as an encrypted string on the On Media Label (OML) of the tape and in the SQL database.

One media password is allowed per media. If you change the media password, it will be effective for the next media. However, if you want to access the existing media, you will need to use the old media password.

Note: If you want to provide more security by not allowing anyone else to read and decipher data on the media, enable Data Encryption and Hardware Encryption.

Use the following steps to change the media password:

  1. From the CommCell Console ribbon, on the Home tab, click Control Panel.
  2. Under CommCell, click System.

    The System dialog box is displayed.

  3. Click the Change Password tab.
  4. Select the Change Media Password check box and specify the following:
    • Type the new media password in the Enter New Media Password box and re-enter it in the Confirm New Media Password box.
    • Type the old media password in the Enter Old Media Password box.

      Note: If this is the first time you are setting the media password, leave the Enter Old Media Password box blank.

  5. Click OK.

Mount Path Passwords for Shared Disk Libraries

When shared disk libraries are configured over the network, user accounts are required to access the mount paths. These accounts are defined in the device properties of the shared disk. You must associate the user accounts with the mount paths.

  1. From the CommCell Browser, expand Storage Resources > Libraries > disk_library.
  2. Right-click mount_path and click Share Mount Path.

    On the ribbon in the CommCell Console, click the Storage tab, and then click Expert Storage Configuration.

  3. Select the device and click Edit.
  4. In the Device Controller Details tab, the associated account should be defined under Network Path.
  5. Click OK.

You can change the passwords of the accounts used to access the mount paths.

  1. On the CommCell Console ribbon, on the Home tab, click Control Panel.
  2. Under User, click User Account Management.

    The User Account Management dialog box is displayed.

  3. Under Current Credentials, in the User name and Password boxes, enter the credentials for the user account associated with the mount path.
  4. Under New Credentials, perform the following:
    1. In the Password box, enter the new password for the user account.
    2. In the Confirm Password box, reenter the password.
    3. In the Notes box, specify the reason for the user account change.
    4. Click Preview to see all the mount paths associated with the account that will be updated.
    5. Click OK.
  5. Click OK.

Agents

The user account information for each Agent is used to back up and restore data from the client in which the Agent is installed.

Active Directory iDataAgent

By default, the user credentials provided during the Agent installation are used to back up the Active Directory Server.

User Privileges

The following table describes the user privileges required by the Active Directory iDataAgent.

Operating System Domain Controller Non-Domain Controller Domain Controller & ADAM/LDS Non-Domain Controller & ADAM/LDS Notes
Windows XP  N/A N/A N/A ADAM Admin  
Windows 2003 Domain Admin N/A Domain Admin and ADAM Admin ADAM Admin  
Windows 2008 Domain Admin Local Admin Domain Admin and LDS Admin LDS Admin and Local Admin Supports Offline DB mounting
Windows 2008 R2 Domain Admin Local Admin Domain Admin and LDS Admin LDS Admin and Local Admin Supports Offline DB mounting
Windows 2012 Domain Admin Local Admin Domain Admin and LDS Admin LDS Admin and Local Admin  
Windows 2012 R2 Domain Admin Local Admin Domain Admin and LDS Admin LDS Admin and Local Admin  

Domain Admin – A user that belongs to Domain Administrator group for that domain

ADAM (Active Directory Application Mode) Admin – A user that belongs to Roles\Administrator group (container) of configuration partition for that ADAM instance.

LDS (Lightweight Directory Services) Admin – A user that belongs to Roles\Administrator group (container) of configuration partition for that LDS instance.

Local Admin – A user that belongs to Local Administrators group.

  • If a user with the required privileges does not exist, create one and assign the necessary rights. Use this user during installation of the Active Directory iDataAgent.
  • For more information on ADAM users and groups, see "Understanding ADAM users and groups" on the Microsoft website (http://technet.microsoft.com/en-us/library/cc781482(v=ws.10).aspx).

At the Agent Level

Use the following steps to change the user credentials at the Agent level:

  1. From the CommCell Browser, navigate to Client Computers | <Client>.
  2. Right-click Active Directory and click Properties.
  3. Click Change Account.
  4. Type the username and password for the user account which has rights to back up and restore data from the Active Directory Server.

    The correct format for specifying a user is Domain\User.

  5. Click OK.

At the Client Computer Group Level

This user account will be used for all computers within a Client Computer Group. Configure the user account at this level if different users will be conducting backup and restore operations for each Client Computer Group in your organization. This user account will override the user account configured at the CommCell level.

  1. From the CommCell Browser, navigate to the Client Computer Groups node.
  2. Verify that all the Agent clients for which you wish to configure the user account are included in the Client Computer Groups.
  3. Right-click the <Client Group> and click Properties.
  4. Click the Advanced Settings tab.
  5. Click the Override higher levels settings check box.
  6. Select one of the following:
    • Use Local System Account, if the computer's Administrator account contains the required privileges.
    • Impersonate User, if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.
  7. Click OK.

The user credentials provided at the client computer group level are ignored if the client belongs to more than one group. In this case, provide the user credentials at the instance level.

ContinuousDataReplicator

The ContinuousDataReplicator requires a Windows user account that has sufficient privileges for the software to:

  • Perform backups and restores
  • Access the Windows registry

By default, the local system administrator account is used.

Initially, the user account credentials is provided during the replication set configuration after the installation of the Agent. You can change the user account at the Client Computer Group, Agent, and Replication Set levels. Accounts configured at each level will be used for all entities within that level as described in the following sections.

At the Client Computer Group Level

This user account will be used for all computers within a Client Computer Group. Configure the user account at this level if different users will be conducting backup and restore operations for each Client Computer Group in your organization. This user account will override the user account configured at the CommCell level.

  1. From the CommCell Browser, navigate to the Client Computer Groups node.
  2. Verify that all the Agent clients for which you wish to configure the user account are included in the Client Computer Groups.
  3. Right-click the <Client Group> and click Properties.
  4. Click the Advanced Settings tab.
  5. Click the Override higher levels settings check box.
  6. Select one of the following:
    • Use Local System Account, if the computer's Administrator account contains the required privileges.
    • Impersonate User, if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.
  7. Click OK.

The user credentials provided at the client computer group level are ignored if the client belongs to more than one group. In this case, provide the user credentials at the instance level.

At the Agent Level

On a Windows client computer, use the following steps to change the user account for accessing the ContinuousDataReplicator application server:

  1. From the CommCell Browser, navigate to Client Computers | <Client>.
  2. Right-click Continuous Data Replicator and click Properties.
  3. Click Edit.
  4. Enable the Use Username and Password check box.
  5. Type the new user name in the User Name box.
  6. Type the new password in the Password box and re-type it in the Confirm Password box.
  7. Click OK.

At the Replication Set Level

On a Windows client computer, use the following steps to change the user account for a Replication Set:

  1. From the CommCell Browser, navigate to Client Computers | <Client>.
  2. Right-click Replication Set and click Properties.
  3. Click Edit.
  4. Enable the Use Username and Password check box.
  5. Type the new user name in the User Name box.
  6. Type the new password in the Password box and re-type it in the Confirm Password box.
  7. Click OK.

DB2 and DB2 MultiNode iDataAgents

The DB2 iDataAgent requires a user account that has sufficient privileges to perform the following:

  • Perform backup and restore operations
  • Access Windows and Unix registry keys
  • Stop and start DB2 services on Windows and Unix clients

By default, the DB2 user with administrator privileges is used to perform backups and restores. You can change the user to a non-DB2 admin user that the user has the following privileges:

Operating System The User Account Must
Windows Be a Local Administrator of the computer on which the DB2 database resides.
UNIX Be a member of the user group assigned during the iDataAgent install.
All
  • Be part of the SYSMAINT_GROUP and SYSCTRL_GROUP authorities.

    db2 update dbm cfg using SYSMAINT_GROUP <user_name or user_group>

    db2 update dbm cfg using SYSCTRL_GROUP <user_name or user_group>

  • Have DBADM privileges on the database.

    db2 grant dbadm on database to <new_user>

You provide the user account credentials when you configure an instance You can change the user account at the Client Computer Group, Instance and Backup Set levels. Accounts configured at each level will be used for all entities within that level.

At the Client Computer Group Level

This user account will be used for all computers within a Client Computer Group. Configure the user account at this level if different users will be conducting backup and restore operations for each Client Computer Group in your organization. This user account will override the user account configured at the CommCell level.

  1. From the CommCell Browser, navigate to the Client Computer Groups node.
  2. Verify that all the Agent clients for which you wish to configure the user account are included in the Client Computer Groups.
  3. Right-click the <Client Group> and click Properties.
  4. Click the Advanced Settings tab.
  5. Click the Override higher levels settings check box.
  6. Select one of the following:
    • Use Local System Account, if the computer's Administrator account contains the required privileges.
    • Impersonate User, if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.
  7. Click OK.

The user credentials provided at the client computer group level are ignored if the client belongs to more than one group. In this case, provide the user credentials at the instance level.

At the Instance Level

Configure the account at the instance level when backup and restore operations are performed by a different user for each instance. Any new backup set that you create for this instance will use these credentials.

  1. From the CommCell Browser, expand Client Computers > client > DB2 > instance
  2. Right-click the instance and click Properties.

    The Instance Properties dialog box is displayed.

  3. On the General tab, click Change.

    The Set DB2 Account dialog box is displayed.

  4. In the DB2 User Account box, type the user account that can access the DB2 application.
  5. In the Password box, type the password for the user account.
  6. In the Confirm Password box, retype the password.
  7. Click OK to close the Set DB2 Account dialog box.
  8. Click OK to close the Instance Properties dialog box.

At the Backup Set Level

This user account will be used for the specified backup set. When you modify the user account for an instance, new backup sets that you create for the instance use the new account, but existing backup sets use the existing instance account or backup set account.

  1. From the CommCell Browser, expand Client Computers > client > DB2 > instance
  2. Right-click the backup_set and click Properties.

    The Backup Set Properties dialog box is displayed.

  3. On the General tab, click Change.

    The Set DB2 Account dialog box is displayed.

  4. In the DB2 User Account box, type the user account that can access the DB2 application.
  5. In the Password box, type the password for the user account.
  6. In the Confirm Password box, retype the password.
  7. Click OK to close the Set DB2 Account dialog box
  8. Click OK to close the Backup Set Properties dialog box.

Documentum iDataAgent

The Documentum iDataAgent requires the following application accounts to perform backup and restore operations:
  • A Docbase account to access the Documentum Docbase (or Repository).
  • A database account to access either Oracle or DB2 or SQL database.

The credentials for the Docbase and database accounts are provided during the instance configuration after the installation of the Agent. You can change the user accounts at the instance level for both application accounts.

The following table illustrates the required privileges for these accounts:

Docbase Account Database Account
Documentum Oracle DB2 SQL
The Documentum iDataAgent requires a user account to log on to the related Documentum docbase to access the data. The user account is the Documentum Install owner account that was used to install the Documentum software.

The account is already set up on the client after the Documentum software installation.

 
The Documentum iDataAgent requires an Oracle user account to access the Oracle application and database. You may have separate user accounts to access these components.

Refer to the Oracle iDataAgent section to review the required privileges the database account should have.

The Documentum iDataAgent requires a DB2 account to access the database.

Refer to the DB2 iDataAgent section to review the required privileges the database account should have.

The Documentum iDataAgent requires an SQL account to access the database.

Refer to the Microsoft SQL Server iDataAgent section to review the required privileges the database account should have.

Change the Docbase Account

Use the following steps to change the Docbase (or Documentum Repository) user account details from the instance level:

  1. Navigate to Client Computers | <Client> | Documentum.
  2. Right-click the <Instance> and then click Properties.
  3. Click Change.
  4. In the User Name box, type the name of the user account.
  5. In the Enter Password box, type the password for the user account.
  6. In the Confirm Password box, retype the password, and then click OK.
  7. Click Discover to validate the Docbase account you provided and to update the Storage Area and Full-text Indexes.

    If the validation is successful, the Docbase Version and Docbase ID of the instance are updated based on the new user account.

  8. Click OK.

Change the Database Account for Oracle

Use the following steps to change the Oracle database/application account credentials from the instance level:

  1. Navigate to Client Computers | <Client> | Documentum.
  2. Right-click the <Instance> and then click Properties.
  3. Click the Database tab.
  4. Click Change.
  5. In the User Name box, type the name of the user account to access the Oracle application, and then click OK.
  6. To change the database access credentials, type the following in the Connect String box to connect to the Oracle database:
    • Type the Database user ID.
    • Click the password box and type the password for the user ID in the Enter Password box.
    • In the Confirm Password box, retype the password, and then click OK.
    • Type the Oracle service name.
  7. Click OK.

Change the Database Account for DB2

Use the following steps to change the DB2 database account credentials from the instance level:

  1. Navigate to Client Computers | <Client> | Documentum.
  2. Right-click the <Instance> and then click Properties.
  3. Click the Database tab.
  4. Click Change.
  5. In the User Account box, type the name of the user account to access the DB2 database.
  6. In the Password box, type the password for the user account.
  7. In the Confirm Password box, retype the password, and then click OK.
  8. Click OK.

Change the Database Account for SQL

Use the following steps to change the SQL database account credentials from the instance level:

  1. Navigate to Client Computers | <Client> | Documentum.
  2. Right-click the <Instance> and then click Properties.
  3. Click the Database tab.
  4. Click Change.
  5. In the User Account box, type the name of the user account to access the SQL database.
  6. In the Password box, type the password for the user account.
  7. In the Confirm Password box, retype the password, and then click OK.
  8. Click OK.

Exchange Server Agents

The Exchange agents require a user account that has Exchange administrator privileges to:

  • Perform backups and restores
  • Log on to the related server to access the data

Additional accounts should be established by the Exchange database administrator.

By default, a user account with Exchange Administrator privileges is provided during the agent installation. You can change the user account at the agent level.

Changing User Accounts for Exchange Agents

This procedure applies to the following Exchange agents:

  • Exchange Database
  • OnePass for Exchange Mailbox
  • Exchange Mailbox
  • Exchange Public Folder
  • Exchange Compliance Archiver
  • Exchange Public Folder Archiver
  1. From the CommCell Browser, expand Client Computers > client.
  2. Right-click Exchange, and then click Properties.

    The Properties dialog box appears.

  3. Click Change Account.
  4. Type the user name in the Exchange Administrator Account box.
  5. Type the password in the Password box and reenter it in the Confirm Password box.
  6. Click OK.

Changing User Accounts for Exchange Database DAG Agents

Applies to: Exchange 2010 and later.

In the case of Exchange Database DAG agents, you can configure the Active Directory user account to discover DAG member servers.

  1. From the CommCell Browser, expand Client Computers.
  2. Right-click the appropriate DAG client, and then click Properties.

    The Client Computers Properties dialog box appears.

  3. Click Advanced.

    The Advanced Client Properties dialog box appears.

  4. Click the Member Servers tab.
  5. Click Change User Account.

    The AD Server Credentials dialog box appears.

  6. Type the Active Directory user account in the User Name box.
  7. Type the password for the AD user account in the Password box, and then reenter it in the Confirm Password box.
  8. Click OK.
  9. Click OK.
  10. Click OK.

Adding Active Directory User Groups for Exchange Mailbox Agents

To configure the mailboxes of the Active Directory user groups for Auto-Discovery operations, you need to specify a user account that can authenticate against the Active Directory domain. Refer to the following procedures for more information:

Message Recovery Operations for the Outlook Add-In

CommCell authentication is required for end-users to perform advanced message recovery operations such as find recoveries and browse recoveries from Outlook using the DataArchiver Outlook Add-In. The Single Sign On (SSO) feature allows Exchange administrators to establish a CommCell User Group for Outlook Add-In end users to perform these functions using their existing Windows user accounts and passwords residing in the Active Directory domain. Refer to Getting Started - Outlook Add-In - Administrator for more information.

OnePass for Hitachi HNAS (BlueArc)

The credentials for the user account are provided during the subclient configuration after the installation of the Agent.

Use the following steps to change the user account to access data residing on the File Server:

  1. Navigate to Client Computers | <Client> | File System  | <Backupset>.
  2. Right-click the <Subclient> and then click Properties.
  3. Click Content tab.
  4. In the Impersonate NT User dialog box, type the user name in the User Account box.
  5. Type the new Password in the Enter Password box and retype it in the Confirm Password box.
  6. Click OK.

OnePass for Netapp (FPolicy)

The credentials for the user account are provided during the subclient configuration after the installation of the Agent.

Use the following steps to change the user account to access data residing on the File Server:

  1. Navigate to Client Computers | <Client> | File System  | <Backupset>.
  2. Right-click the <Subclient> and then click Properties.
  3. Click Content tab.
  4. In the Impersonate NT User dialog box, type the user name in the User Account box.
  5. Type the new Password in the Enter Password box and retype it in the Confirm Password box.
  6. Click OK.

OnePass for Celerra

The credentials for the user account are provided during the subclient configuration after the installation of the Agent.

Use the following steps to change the user account to access data residing on the File Server:

  1. Navigate to Client Computers | <Client> | File System  | <Backupset>.
  2. Right-click the <Subclient> and then click Properties.
  3. Click Content tab.
  4. In the Impersonate NT User dialog box, type the user name in the User Account box.
  5. Type the new Password in the Enter Password box and retype it in the Confirm Password box.
  6. Click OK.

Informix iDataAgent

The Informix iDataAgent requires a user account to access the Informix application and database to perform backup and restore operations.

By default, the following are used:

  • For Windows, the local system administrator.
  • For UNIX and LINUX, it is the Informix database owner.

Initially, the user credentials is provided during the Agent installation. You can subsequently change the user account at the Instance level.

Use the following steps to change the Informix user name:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | Informix.
  2. Right-click the <Instance> and click Properties.
  3. On Windows clients:
    • Click Change.
    • In the User Name box, type the user account name.
    • In the Password box, type the password for the user account.
    • In the Confirm Password box, retype the password, and then click OK.

  4. On Unix clients, in the Informix USER box, type the user account to access the Informix application.

  5. Click OK.

Microsoft SQL Server iDataAgent

The SQL Server iDataAgent requires a Windows user account that has sufficient privileges for the software to:

  • Perform backups and restores
  • Access the Windows registry
  • Stop or start the SQL Server services.

By default, the local system account is used. The following table illustrates the requirements for a user-defined account:

If the SQL Server Is The User Account Should Be:
Member of a WorkGroup
  • Local Administrator of the computer on which the SQL Server resides.
  • Member of the SQL sysadmin fixed server role.
Member of a Domain An account other than the Domain Administrator account that has Administrator and SQL sa privileges. The account should have interactive logon rights to the computer where the SQL Server resides.

Initially, the user credentials are not provided during the agent installation and by default, the local system account is used.. You can change the user account at the CommCell, client computer group, agent, and instance levels. Accounts configured at each level will be used for all entities within that level as described in the following sections.

You can use any SQL account that satisfies the account requirement or use a user account from which SQL Server services are running by providing their respective login credentials.

At the CommCell Level

This user account will be used for all SQL Server iDataAgents in your CommCell. Configure the user account at this level if one person will be conducting all backup and restore operations in your organization.

  1. From the CommCell Console ribbon, on the Home tab, click Control Panel.
  2. Under User, click SQL iDataAgent.
  3. In the SQL iDataAgent Configuration dialog box, select one of the following:
    • Use Local System Account if the Administrator account for the computer contains the required privileges.
    • Impersonate User if a different account contains the required privileges. Type the User Name and Password for this account in the space provided.
  4. Click OK.

At the Client Computer Group Level

This user account will be used for all computers within a Client Computer Group. Configure the user account at this level if different users will be conducting backup and restore operations for each Client Computer Group in your organization. This user account will override the user account configured at the CommCell level.

  1. From the CommCell Browser, navigate to the Client Computer Groups node.
  2. Verify that all the Agent clients for which you wish to configure the user account are included in the Client Computer Groups.
  3. Right-click the <Client Group> and click Properties.
  4. Click the Advanced Settings tab.
  5. Click the Override higher levels settings check box.
  6. Select one of the following:
    • Use Local System Account, if the computer's Administrator account contains the required privileges.
    • Impersonate User, if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.
  7. Click OK.

We recommend that you associate a SQL client to only one client group that has a user account configured at the client computer group level. Else, you can also set the user account at the client level or the instance level.

At the Agent Level

This user account will be used for all instances and associated subclients. Configure the user account at this level if one person will be conducting all backup and restore operations on the client on which the SQL Server iDataAgent is installed. This user account will override the user account configured at the CommCell and Client Computer Group levels.

  1. Navigate to Client Computers | <Client>.
  2. Right-click SQL Server and click Properties.
  3. Click the Authentication tab.
  4. Enable the Override higher levels settings check box.
  5. Select the following:

    Use Local System Account if the computer's Administrator account contains the required privileges.

    Impersonate User if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.

  6. Click OK.

At the Instance Level

This user account will be used for all subclients within the instance. Configure the user account at this level if backup and restore operations will be conducted by a different person for each instance. This user account will override the user account configured at the CommCell, Client Computer Group, and Agent levels.

  1. Navigate to Client Computers | <Client> | SQL Server .
  2. Right-click the <Instance> and click Properties.
  3. Click the Accounts tab.
  4. Enable the Override higher levels settings check box.
  5. Select the following:

    Use Local System Account if the computer's Administrator account contains the required privileges.

    Impersonate User if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.

  6. Click OK.

Microsoft Windows File System iDataAgent

Users performing backups must be either an administrator or a backup operator. Backup operators (or Service Users) are designed to have full control to the registry and the installation folder.

Role Privileges
An administrator or a backup operator in a local group Able to back up any file and folder on the local computer to which the local group applies.
An administrator or backup operator on a domain controller Able to back up any file and folder on:
  • a computer in the domain
  • a computer in a domain where a two-way trust relationship exists

If you are not an administrator or backup operator, you must be the owner of the files and folders you want to back up or have one or more of the following permissions.

  • Read
  • Read and execute
  • Modify
  • Full Control

The following sections describe the procedures for modifying user permissions and rights.

Configuring Windows Users on an Individual Server

  1. Go to Control Panel > Administrative Tools.
  2. Double-click Computer Management.
  3. On the Computer Management browser, expand Local User and Groups > Users.
  4. Right-click the user who will perform backups and click Properties.
  5. On the Member Of tab, click Add to add the Backup Operators group to the User.
  6. Click OK.
  7. Log off and log on to the computer as an Administrator for the policies to take effect.

Configuring Windows Users on a Domain Controller

To add a user to the Backup Operators Group, perform the following steps on the domain controller:

  1. Create or prepare to manage a Windows user who will run the services.
  2. Navigate to Active Directory Users | Computers | Users.
  3. Right-click the user who will be performing backups and click Member of.
  4. Add the Backup Operators group to the User.
  5. Click OK.
  6. Log off and log in as the domain controller Administrator for the policies to take effect.

Configuring Windows Users for Specific Folders

  1. Right-click the folder you want to back up and click Properties.
  2. On the Security tab, enable Add Backup Operators with full control rights.

Configuring Credentials for UNC Path Content

The user must have privileges to:

  • Access the share to which the UNC Path is pointing.
  • Log on to the client machine that is running the backup.
  • The logs on the client machine.

To perform backup or restore operations using a UNC Path as either the content of the subclient or the destination for a restore, the user account should have Administrative privileges.

Use the following steps to change the User Account for the UNC Path content:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | Agent.
  2. Right-click the <Subclient> and click Properties.
  3. Click Content tab.
  4. Click Add Paths and type in the UNC path of the share that you want to add.

    Repeat this step if you want to add more files and/or folders to the content.

  5. Click As User.
  6. Type the new user name in the User Name box.
  7. Type the new password in the Password box and retype it in the Confirm Password box.
  8. Click OK.

Configuring Credentials for Restricted Drives or Directories

You can define a user with permissions to restore data to either mapped/shared network drives or directories to which you have no write privileges.

  1. From the CommCell Browser, navigate to Client Computers | <Client> | File System.
  2. Right-click the <BackupSet> and click All Tasks and then click Browse and Restore.
  3. Click View Content.
  4. Select the data that you want to restore and then click Recover All Selected.
  5. From the Restore Options for All Selected Items dialog box, enable the Impersonate User check box.
  6. Type the new user name in the User Name box.
  7. Type the new password in the Password box and retype it in the Confirm Password box.
  8. Click OK.

View or Modify User Rights Assignments on a Workgroup or Member Server

Follow the steps to view or modify user rights assignments on a Workgroup or Member Server:

  1. Click Start > Settings > Control Panel > Administrative Tools.

  2. From Administrative Tools, select the local security policy and add the Service user to all the required rights (logon as service, backup, restore).

View or Modify User Rights Assignments on a Domain Controller

Follow the steps below to view or modify user rights assignments on a domain controller:

  1. Click Start > Settings > Control Panel > Administrative Tools.

  2. From Administrative Tools\Domain Controller Security Policy, expand the tree to Security Settings, Local Policies, and User Rights Assignment. Add the user to all the required rights (logon as service, backup, restore).

MySQL iDataAgent

The MySQL iDataAgent requires a MySQL Server user account that has sufficient privileges for the software to:

  • Perform backups and restores
  • Access the MySQL Server application
  • Stop or start the MySQL Server services

The following table illustrates the necessary privileges the user account should have to perform backup and restore operations:

Operations Privileges MySQL User Should Have Example Query to Grant the Permission
Backup
  • SHOW DATABASES
  • SUPER
  • RELOAD
  • SELECT
  • LOCK TABLES
  1. mysql> GRANT SHOW DATABASES, SELECT, LOCK TABLES, RELOAD, SUPER ON *.* to '<backup_agent_user>'@'localhost' IDENTIFIED BY '<backup_agent_password>';
    mysql> GRANT SHOW DATABASES, SELECT, LOCK TABLES, RELOAD, SUPER ON *.* to '<backup_agent_user>'@'127.0.0.1' IDENTIFIED BY '<backup_agent_password>';
    mysql> FLUSH PRIVILEGES;
  2. It is recommended to grant all Database Administrator privileges to perform backup operations for some versions.

    Example: For MySQL 5.7 and later, you should grant all Database Administrator privileges to perform backup operations.

    mysql> GRANT ALL PRIVILEGES ON *.* TO '<backup_agent_user>'@'localhost' IDENTIFIED BY '<backup_agent_password>';
    mysql> GRANT ALL PRIVILEGES ON *.* TO '<backup_agent_user>'@'127.0.0.1' IDENTIFIED BY '<backup_agent_password>';
    mysql> FLUSH PRIVILEGES;

Restore Full Database Administrator privileges mysql> GRANT ALL PRIVILEGES ON *.* TO '<restore_agent_user>'@'localhost' IDENTIFIED BY '<restore_agent_password>';
mysql> GRANT ALL PRIVILEGES ON *.* TO <restore_agent_user>'@'127.0.0.1' IDENTIFIED BY '<restore_agent_password>';
mysql> FLUSH PRIVILEGES;

Initially, the user account credentials is provided during the instance configuration after the installation of the Agent. You can change the user account at the Instance level.

At the Instance Level

Use the following steps to change the user account for an Instance.

  1. From the CommCell Browser, navigate to Client Computers | <Client> | MySQL.
  2. Right-click the <Instance> and click Properties.
  3. Click the Accounts tab.
  4. Type the user name in the User Name box.
  5. Type the SA user name in the SA User Name box.
  6. Type the password in the SA Account Password box and retype it in the SA Confirm Password box.
  7. Click OK.

NAS Agents

The NAS iDataAgent requires a user account to access the file server to perform backup and restore operations. If the file server access information has been modified, follow the steps given below to change the user account settings.

  1. From the CommCell Browser, navigate to Client Computers | <Client>.
  2. Right-click NAS and click Properties.
  3. Click NDMP Properties.

    The NDMP Server Properties dialog box appears.

  4. Select the Change Password check box.
  5. Type the user name in the NDMP Login box.
  6. Type the password in the NDMP Password box.
  7. If your CommServe host is unable to connect to the file server, click the Detect MediaAgent list and select a MediaAgent to use for connecting to the file server. If left blank, the CommServe host will communicate with the file server directly.
  8. Click OK.
  9. Click OK to close the NAS Properties dialog box.

Oracle iDataAgents

The Oracle iDataAgent require the following two user accounts in order to perform backup and restore operations:

  • An operating system account with administrator privileges for the Oracle application.

    The following table defines the user account requirements for each operating system:

    Operating System User Account
    Windows
    • The Local Administrator of the computer on which the Oracle database resides.
    • The user must be part of the ora_dba group with read and write permissions on the Commvault folder.

    Note: when using Oracle 12c, grant full control permission for the Oracle home user for the Commvault folder.

    UNIX Member of the user group assigned during the Agent installation. The operating system user account can also be used.
  • An Oracle user account with the SYSDBA or SYSBACKUP (in Oracle version 12 or higher) privilege can access the Oracle target database. Provide the account information as a connect string with the following connection details:
    • The database user ID and password
    • The Oracle Service Name (as defined in the tnsnames.ora file)

    Use separate accounts to access the target database and the recovery catalog database. The recovery catalog database user account must have RECOVERY_CATALOG_OWNER privileges, which are not required for the target database user.

    By default, the user account for the target database has administration privileges and must be established so the Oracle database administrator can configure additional accounts (except Impersonate User).

Initially, the user account credentials are provided during the instance configuration after the installation of the Agent. You can subsequently change the user account information to access the Oracle database and application at the Instance level whenever the credentials are updated.

Configuring User Account to Access the Oracle Application

Use the following steps to configure the user account to access the Oracle application:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | Oracle.
  2. Right-click the <Instance>, and then click Properties.
    • On the Properties dialog, navigate to the General tab.

      For Windows clients:

      • Click Change, which displays the Impersonate NT User dialog.
      • In the User Account box, enter the user account name.
      • In the Enter Password box, enter the password for the user account.
      • In the Confirm Password box, re-enter the password, and then click OK.

      For Unix clients:

      In the User Account box, enter the user account that you use to access the Oracle application.
    • Click OK.

Configuring User Account to Access the Oracle Database

Use the following steps to configure the user account privileges to access the Oracle database:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | Oracle.
  2. Right-click the <Instance>, and then click Properties.
  3. On the Details tab, enter the Oracle connection information:
    • To use the Oracle Wallet feature, select the Oracle Wallet Auto Login check box.
    • To use the Oracle Connect String, select the Use Connect String check box and in the Connect String box enter the Oracle connect string credentials.

      Note: If you want to use an account that is other than 'sys', you must grant the SYSDBA or SYSBACKUP (in Oracle version 12 or higher) privilege to the user account.

      Enter the Connect String to connect to the Oracle database as follows:

      1. In the first box enter the Database user ID.
      2. In the second box enter the Password.
      3. In the Confirm Password dialog box, re-enter the password, and click OK.
      4. In the third box enter the Oracle Service name.

      For example, in the following:

      sysdba/<password>@orcl

      sysdba is the Database User ID

      <password> is the Database User ID password

      orcl is the Oracle service name

  4. Click OK.

Oracle RAC iDataAgents

The Oracle RAC iDataAgent requires the following two user accounts in order to perform backup and restore operations:

  • An operating system account with administrator privileges for the Oracle application.

    The following table defines the user account requirements for each operating system:

    Operating System User Account
    Windows
    • The Local Administrator of the computer on which the Oracle database resides.
    • The user must be part of the ora_dba group with read and write permissions on the Commvault folder.

    Note: when using Oracle 12c, grant full control permission for the Oracle home user for the Commvault folder.

    UNIX Member of the user group assigned during the Agent installation. The operating system user account can also be used.
  • An Oracle user account with the SYSDBA or SYSBACKUP (in Oracle version 12 or higher) privilege can access the Oracle target database. Provide the account information as a connect string with the following connection details:
    • The database user ID and password
    • The Oracle Service Name (as defined in the tnsnames.ora file)

    Use separate accounts to access the target database and the recovery catalog database. The recovery catalog database user account must have RECOVERY_CATALOG_OWNER privileges, which are not required for the target database user.

    By default, the user account for the target database has administration privileges and must be established so the Oracle database administrator can configure additional accounts (except Impersonate User).

Initially, the user account credentials are provided during the instance configuration after the installation of the Agent. You can subsequently change the user account information to access the Oracle database and application at the Instance level whenever the credentials are updated.

Configuring User Account to Access the Oracle Application

Use the following steps to configure the user account to access the Oracle application:

  1. From the CommCell Browser, navigate to Client Computers | <RAC Client>.
  2. Right-click the <Instance>, and then click Properties.
  3. Click the Details tab.
  4. Select the desired instance, and then click Modify.

    On Windows clients:

    • Click Change User Account.
    • In the User Account box, type the user account name.
    • In the Enter Password box, type the password for the user account.
    • In the Confirm Password box, retype the password, and then click OK.

     

    On Unix Clients:

    • Click Change User Account.
    • In the User Name box, type the user name, and then click OK.
  5. Click OK.

Configuring User Account to Access the Oracle Database

Use the following steps to configure the user account privileges to access the Oracle database:

  1. From the CommCell Browser, navigate to Client Computers | <RAC Client>.
  2. Right-click the <Instance>, and then click Properties.
  3. Click the Details tab.
  4. Select the desired instance, and then click Modify.
  5. In the Connect String box, type the connect string to connect to the Oracle database as follows:
    • Type the Database user ID.
    • Click the password box and type the password for the user ID in the Enter Password box.
    • In the Confirm Password box, retype the password, and then click OK.
    • Type the Oracle service name.

    For example:

    sys/<password>@winrac1

    where, sys is the Database User ID, <password> is the password of the Database User ID, and winrac1 is the Oracle service name.

  6. Click OK.

PostgreSQL iDataAgent

The PostgreSQL iDataAgent requires a user account that has sufficient privileges to perform the following:

• Perform backup and restore operations

• Access the PostgreSQL Server application

• Stop or Start PostgreSQL services

The following table illustrates the necessary privileges the user account should have to perform backup and restore operations:

Operations Privileges PostgreSQL User Should Have:
Backup Full Database Administrator privileges.
Restore Full Database Administrator privileges.

Initially, the user account credentials is provided during the instance configuration after the installation of the Agent. You can change the user account at the Instance level.

At the Instance Level

This user account will be used for all instances and associated subclients. Use the following steps to change the user account for an Instance:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | PostGreSQL.
  2. Right-click the <Instance> and click Properties.
  3. Click the Accounts tab.
  4. Type the user name in the PostGres User Name box.
  5. Type the password in the PostGres Account Password box.
  6. Retype the password in the PostGres Confirm Password box.
  7. Click OK.

SAP for Oracle iDataAgents

The SAP for Oracle iDataAgent requires the following two user accounts in order to perform backup and restore operations:

  • An operating system account with administrator privileges for the Oracle application.

    The following table defines the user account requirements for each operating system:

    Operating System User Account
    Windows
    • The Local Administrator of the computer on which the Oracle database resides.
    • The user must be part of the ora_dba group with read and write permissions on the Commvault folder.

    Note: when using Oracle 12c, grant full control permission for the Oracle home user for the Commvault folder.

    UNIX Member of the user group assigned during the Agent installation. The operating system user account can also be used.
  • An Oracle user account with the SYSDBA or SYSBACKUP (in Oracle version 12 or higher) privilege can access the Oracle target database. Provide the account information as a connect string with the following connection details:
    • The database user ID and password
    • The Oracle Service Name (as defined in the tnsnames.ora file)

    Use separate accounts to access the target database and the recovery catalog database. The recovery catalog database user account must have RECOVERY_CATALOG_OWNER privileges, which are not required for the target database user.

    By default, the user account for the target database has administration privileges and must be established so the Oracle database administrator can configure additional accounts (except Impersonate User).

Initially, the user account credentials are provided during the instance configuration after the installation of the Agent. You can subsequently change the user account information to access the Oracle database and application at the Instance level whenever the credentials are updated.

Configuring the User Account to Access the Oracle Application

Use the following steps to configure the user account to access the Oracle application:

  1. From the CommCell Browser, go to Client Computers > client > SAP for ORACLE.
  2. Right-click the instance and click Properties.

    The instance Properties dialog box appears.

  3. Update the user account information on the client:
    • For Windows clients do the following:
      1. On the General tab, click Change.

        The Impersonate User dialog box appears.

      2. In the User Account box, type the user account name using the following format: <client_name>/<SID_name>adm.
      3. In the Enter Password box, type the password for the user account.
      4. In the Confirm Password box, retype the password, and then click OK.
    • For Unix clients, enter the new user name in the ORACLE USER box using the following format: <SID_name>adm.
  4. Click OK.

You can also provide the user account credentials from the command line during backup and restore operations.

Configuring the User Account to Access the Oracle Database

Use the following steps to configure the user account privileges to access the Oracle database:

  1. From the CommCell Browser, go to Client Computers > client > SAP for ORACLE.
  2. Right-click the instance and click Properties.

    The instance Properties dialog box appears.

  3. Click the Details tab.
  4. In the Connect String boxes, type the connect string to connect to the Oracle database as follows:
    • In the first box, type the database user ID.
    • In the second box, type the password for the user ID.
    • In the Confirm Password dialog box, re-enter the password and click OK.
    • In the third box, type the Oracle service name.

    For example:

    sys/password@CER

    where, sys is the database user ID, password is the password for the database user ID, and CER is the Oracle service name.

  5. Click OK.

SharePoint Agents

The SharePoint Server iDataAgent requires a user account that has sufficient privileges for the software to:

  • Log on to the file server to access the data.
  • Create and modify the SharePoint database.
  • Perform backup and restore operations.

The SharePoint Agents require an user account with the following privileges:

  • Member of the local Administrator Group.
  • Member of the SharePoint Administrator Group.
  • SharePoint Server Farm Administrator
  • System Administrator role on the SQL Server Instance.
  • SP Shell Administrator permissions.
  • This account must have "Log on as Service" permissions to ensure the Communication (CVD) Services will start.

    Refer to the Knowledge Base article Galaxy Service Account User Information for Windows 2003 and Window Server 2003 clients available from the Maintenance Advantage web site.

Also, Web Application Pools users must have read access to the following location: [hkey_local_machine]\[software]\[CommVault Systems Registry].

Additional accounts should be established by the SharePoint database administrator.

Initially, the SharePoint Administrator account credentials is provided during the Agent installation. You can subsequently change the user account at the Agent level.

At the Agent Level

You can change the Administrative Account.

  1. From the CommCell Browser, navigate to Client Computers | <Client>.
  2. Right-click Sharepoint Server and click Properties.
  3. Click Change Account.
  4. Type the SharePoint Administrator user name in the SharePoint Administrator Account box.
  5. Type the password in Password box and retype it in the Confirm Password box.
  6. Click OK.

Sybase iDataAgent

The Sybase iDataAgent requires two user accounts to access the Sybase application and database to perform backup and restore operations:

  • Database user account with administrator privileges.

    On Unix computers, the account information for accessing the database is provided during the Sybase iDataAgent installation.

    On Windows computers, the account information is provided during the instance configuration after the installation of the Agent.

  • Operating system account with privileges to access the Sybase application.

The following table illustrates the required user account privileges for backup and restore operations:

Operations User Account Needed
Create Sybase server Sybase database administrator account (SA role)
Backup Sybase database and Restore non-system databases Operating system user account (operator role) with access to all the databases in an instance.
Restore Sybase system databases Sybase database administrator account (SA role)

Use the following steps to change the user account for accessing the Sybase instance:

  1. From the CommCell Browser, navigate to Client Computers | <Client> | Sybase.
  2. Right-click the <Instance> and click Properties.
  3. Click the Accounts tab.
  4. Type the user name in the User Name box.
  5. Type the SA user name in the SA User Name box.
  6. Type the password in the SA Account Password box and retype it in the SA Confirm Password box.
  7. Click OK.

At the Client Computer Group Level

This user account will be used for all computers within a Client Computer Group. Configure the user account at this level if different users will be conducting backup and restore operations for each Client Computer Group in your organization. This user account will override the user account configured at the CommCell level.

  1. From the CommCell Browser, navigate to the Client Computer Groups node.
  2. Verify that all the Agent clients for which you wish to configure the user account are included in the Client Computer Groups.
  3. Right-click the <Client Group> and click Properties.
  4. Click the Advanced Settings tab.
  5. Click the Override higher levels settings check box.
  6. Select one of the following:
    • Use Local System Account, if the computer's Administrator account contains the required privileges.
    • Impersonate User, if you want to use a different account that contains the required privileges. Type the User Name and Password for this account in the space provided.
  7. Click OK.

The user credentials provided at the client computer group level are ignored if the client belongs to more than one group. In this case, provide the user credentials at the instance level.

Virtual Server Agent for VMware

The Virtual Server Agent requires user accounts that have sufficient permissions for the software to:

  • Access the vCenter and ESX servers.
  • Access virtual machines.
  • Access volumes, files, and folders within virtual machines.
  • Perform discovery, backup, and restore operations.

When you configure the VMware vCenter client, you must provide the user account credentials for the vCenter. Later, you can change the user account at the instance level.

For more information, see Configuration of User Accounts for VMware. For other hypervisors, follow the user account requirements that are provided when adding a virtualization client.

Changing Credentials for a vCenter Instance

The user account for a VMware instance provides access to the vCenter for the virtualization client.

  1. Navigate to Client Computers > virtualization_client > Virtual Server.
  2. Right-click VMware and select Properties.
  3. In the VMware area, click Change.
  4. Type the username and password.

    Note: Ensure that the password does not have single-quote (') or double-quote (") characters.

  5. Click OK.

Enable Passwords for Media Associated with a Storage Policy

By default, the CommServe Level Media Password is used to access the data residing on media used by the system for a storage policy. You can prevent unauthorized access to this data by enabling a password for a Media Associated with the Storage Policy.

If you password protect the media associated with a Disaster Recovery Backup storage policy, it is essential that you record this password. In certain disaster recovery scenarios, it may be necessary to read your backup data directly from the media.

  1. From the CommCell Browser, navigate to Policies | Storage Policies.
  2. Right-click the <Storage Policy> and select Properties.
  3. Click the Advanced tab.
  4. Click the Enable Storage Policy Level Media Password check box and then click the Change Media Password check box.
  5. Type the new media password in the Enter New Media Password box and the Confirm New Media Password box.
  6. Type the CommServe media password in the Enter Old Media Password dialog box.
  7. Click OK.

Change Account for Restoring to Mapped or Shared Network Drives and Restricted Directories

You can define a user with permissions to restore data to either mapped or shared network drives or directories to which you have no write privileges.

  1. From the CommCell Browser, go to Client Computers > client > agent.
  2. Right-click the backup_set and click All Tasks and then click Browse and Restore.

    By default, Latest Backup is selected for browse.

  3. Click View Content.
  4. Select the data that you want to restore and then click Recover All Selected.

    The Restore Options for All Selected Items dialog box appears.

  5. Select the required restore options.
  6. Scroll down, click the Impersonate User check box, and type the following:
    • In the User Name box, type the new user name.
    • In the Password box, type the new password and in the Confirm Password box, re-type the password.
  7. Click OK.

System State Backup Privileges

To back up the System State data, the service user must be either an administrator or a backup operator. Also, system state backups require backup operator group permissions on the HKLM\SYSTEM\SETUP key to enable system-protected file backups.

User Impersonation for Running Pre and Post Commands

You can add, modify or view Pre/Post processes for the subclient. These are batch files or shell scripts that you can run before or after certain job phases.
  1. From the CommCell browser, right-click the subclient.
  2. Click Properties.
  3. Click Pre/Post Process.
  4. Click one of the following phases and type the full path of the process that you want to execute during that phase. Alternatively, click Browse to locate the process (applicable only for paths that do not contain any spaces).
    • PreBackup Process
    • PostBackup Process
    • PreSnap Process
    • PostSnap Process
  5. Click OK.
  6. Select Run Post Backup Process for all attempts to run a post backup process for all attempts.
  7. For subclients on Windows platforms, Run As displays Not Selected.

    If you want to change the account that has permission to run these commands, click Change.

    1. In the User Account dialog box, select Use Local System Account, or select Impersonate User and enter the user name and password. Click OK.
    2. If you selected Local System Account, click OK to the message advising you that commands using this account have rights to access all data on the client computer.

Change User Account to Access Job Results Directory for the Client

On a Windows client computer, use the following steps to change the user account for accessing the job results directory for the client:

  1. From the CommCell Browser, go to Client Computers.
  2. Right-click the client and click Properties.

    The Client Computer Properties dialog box appears.

  3. Click Advanced.

    The Advanced Client Properties dialog box appears.

  4. On the Job Configuration tab, in the Job Results Directory for Windows Clients section, click User Name/Password and type the following:
    1. In the User Name box, type the new user name.
    2. In the Password box, type the new password and in the Confirm Password box, re-type the password.
    3. Click OK.
  5. Click OK twice to close the properties dialog boxes.

Domain Controller

Use the following steps to change the user account for the domain controller:

  1. From the CommCell Browser, go to Security > Domains.
  2. Right-click Domain_Controller and click Properties.

    The Edit Domain Controller Details dialog box appears.

  3. Click Edit next to the User Account box.

    The Enter User Account Information dialog box appears.

  4. Type the following:
    1. In the User Name box, type the new user name.
    2. In the Password box, type the new password and in the Confirm Password box, retype the password.
    3. Click OK.
  5. Click OK to close the domain controller dialog box.