Click here to get back home

domain Backup Operators group question
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
domain Backup Operators group question djc 04-20-2006
Posted by djc on April 20, 2006, 8:53 am
Please log in for more thread options
 I have looked into this before due to seeing conficting information from
different sources. I had also posted the question to one of the MS
newsgroups here (can't find it right now though) and got a great answer. Now
I have come across what I think is an incorrect statement and would like to
verify this here.

The bottom line from the great reply I had gotten previously on this issue
is that the 'domain' Backup Operators groups is NOT really a 'domain local'
group. It is a 'built in' group which means it does NOT have domain
affinity. This means the SID of the group does not contain the portion that
relates it to a domain. Therefore it can only be used on the 'local'
machine. In the case of a domain controller, each one shares the same
account database (active directory) and so the Backup Operators group from
active directory only has backup/restore rights on *domain controllers*, not
all member servers (which is what I see stated some places as I will show
below).

so when you see 'domain Backup Operators' this is not a group with privilage
over the whole domain. A better name would be 'DC Backup Operators'.

the following statement is from a Measure Up practice exam explanation:
"The Backup Operators group in Active Directory is a domain local group. If
you add Joanne as a member of the domain Backup Operators group, she will
have backup and restore rights on all member servers in the domain."

this statement IS incorrect right?



Posted by Roger Abell [MVP] on April 20, 2006, 10:25 am
Please log in for more thread options
>I have looked into this before due to seeing conficting information from
>different sources. I had also posted the question to one of the MS
>newsgroups here (can't find it right now though) and got a great answer.
>Now I have come across what I think is an incorrect statement and would
>like to verify this here.
>
> The bottom line from the great reply I had gotten previously on this issue
> is that the 'domain' Backup Operators groups is NOT really a 'domain
> local' group. It is a 'built in' group which means it does NOT have domain
> affinity. This means the SID of the group does not contain the portion
> that relates it to a domain. Therefore it can only be used on the 'local'
> machine. In the case of a domain controller, each one shares the same
> account database (active directory) and so the Backup Operators group from
> active directory only has backup/restore rights on *domain controllers*,
> not all member servers (which is what I see stated some places as I will
> show below).
>
> so when you see 'domain Backup Operators' this is not a group with
> privilage over the whole domain. A better name would be 'DC Backup
> Operators'.
>
> the following statement is from a Measure Up practice exam explanation:
> "The Backup Operators group in Active Directory is a domain local group.
> If you add Joanne as a member of the domain Backup Operators group, she
> will have backup and restore rights on all member servers in the domain."
>
> this statement IS incorrect right?
>

not in the default condition of a newly added member server



Posted by Roger Abell [MVP] on April 20, 2006, 11:55 am
Please log in for more thread options
>> "The Backup Operators group in Active Directory is a domain local group.
>> If you add Joanne as a member of the domain Backup Operators group, she
>> will have backup and restore rights on all member servers in the domain."
>>
>> this statement IS incorrect right?
>>
>
> not in the default condition of a newly added member server
>
I guess that was less than clear. Response was assessment of quoted
statement, not answer to posed question.



Posted by djc on April 20, 2006, 2:19 pm
Please log in for more thread options
Hi Roger,
I appreciate the reply but I have no idea what you are saying. I think the
answer is a yes/no type. Or, if its a 'depends on the situation' type of
answer then an explanation usually follows. ;)

any further clarification?

>>> "The Backup Operators group in Active Directory is a domain local group.
>>> If you add Joanne as a member of the domain Backup Operators group, she
>>> will have backup and restore rights on all member servers in the
>>> domain."
>>>
>>> this statement IS incorrect right?
>>>
>>
>> not in the default condition of a newly added member server
>>
> I guess that was less than clear. Response was assessment of quoted
> statement, not answer to posed question.
>
>



Posted by Roger Abell [MVP] on April 20, 2006, 3:45 pm
Please log in for more thread options
> Hi Roger,
> I appreciate the reply but I have no idea what you are saying. I think the
> answer is a yes/no type. Or, if its a 'depends on the situation' type of
> answer then an explanation usually follows. ;)
>
> any further clarification?
>

. . . only that the statement is incorrect if the members are in the
configuration
they are left in by default. That Backup Operators is a built-in domain
local
group with a well-known SID is just detractor information - not really
relevant.
There are only two groups from a domain that get added to a member's
groups or other rights/privileges when the member joins: Domain Admins
gets added to the member's Administrators and Domain Users to its Users.
Neither of these have bearing on backup rights. Hence, if the members of
Backup Operators have any permission to back up a member it must be due
to a custom configuration made after the join.

You see, the problem I have with questions like the one you presented is
that
they (almost) never say "if things are as configured by install" or "... as
left by
the domain joining". So, as stated, it may or may not work as they say, it
all
depends on how the machine have or have not been configured.

All I was saying is, if it is as the join leaves things, then no, the
statement
is bogus.


>>>> "The Backup Operators group in Active Directory is a domain local
>>>> group. If you add Joanne as a member of the domain Backup Operators
>>>> group, she will have backup and restore rights on all member servers in
>>>> the domain."
>>>>
>>>> this statement IS incorrect right?
>>>>
>>>
>>> not in the default condition of a newly added member server
>>>
>> I guess that was less than clear. Response was assessment of quoted
>> statement, not answer to posed question.
>>
>>
>
>



Similar ThreadsPosted
A question on Group Policy November 17, 2005, 9:26 am
how i can backup AD? June 22, 2005, 9:43 pm
Backup Admin November 12, 2007, 7:17 pm
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm
Certificate Authority backup failed. November 27, 2005, 6:41 pm
Adding a User from One Domain to a Group in Another Domain August 18, 2006, 12:12 am
Reset Passwords, Account operators, Delegation - access denied August 8, 2006, 8:37 pm
Allow user to install local printer without print operators member August 10, 2006, 11:44 am
Question regarding PKI architecture with cross domain trusts. September 17, 2007, 2:48 pm
ENTERPRISE DOMAIN CONTROLLERS Vs Domain Group Domain Controllers December 30, 2005, 3:08 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap