none
Registry "ClientOwners" and AD Groups / EUR disappearance RRS feed

  • Question

  • I'm aware that to enable non-administrators the ability to do a recovery from the server with DPM 2010 you have to add the ClientOwners multi-string value to the registry. In our environment, however, it would be very cumbersome to add each user on every computer we have in the registry.   I haven't seen anything saying that this value could be a group in AD. I didn't seem to have any success when I tried to test this out.

     

    Can anyone confirm/clarify? 

     

    Also, and slightly off topic, at one point without having pushed out the AD schema extension I was able to view previous versions on the "Previous Versions" tab of a file. However, that has since disappeared for no apparent reason to me.  Anyone have any ideas why I could at one point but cannot now?

     

    Thanks


    • Edited by robdtec Monday, October 10, 2011 7:39 PM
    Monday, October 10, 2011 7:21 PM

Answers

  • Hi Robdtec,

    I don't believe using an AD group is going to work.  DPM keeps track of users permissions who are allowed to access recovery points on the DPM server for that specific computer by reading the users in the registry key and adding them to the access control manager database. I don't believe the new DPM code was written to expand out users in an AD group.

    Previous versions tab is populated by "local shadow copies" on the laptop, and is not dependent on extending the schema for End User Recover of file server data.   If you have no previous versions, then check to see how much free space you have on your local drive, if there is not enough free space then local shadow copies cannot be maintained.   You can run "vssadmin list shadows" from administrative command prompt to see if you have any local shadow copies.   Local Shadow Copies should be created using the same scheduled time as recovery points on the DPM server.


    Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 10, 2011 10:43 PM
    Moderator

All replies

  • Hi robdtec,

    What I thik you are refering to is EUR or End User Recovery. This is a feature in DPM2010 that allows the end user to preform resotre of files and folders on a file server.

    There are some must know's before you implement this function:

    1. You will alter your Active Directory Schema
    2. Verify that your clients meet the prerequists regarding OS
    3. Have you NTFS rights verified on the share that you would let the end user preform recoery operations

    Have a look at my blogpost regardig more information regarding EUR: http://robertanddpm.blogspot.com/2011/02/eur.html 


    Best Regards

    Robert Hedblom

    MVP DPM

     


    Check out my DPM blog @ http://robertanddpm.blogspot.com


    Monday, October 10, 2011 8:58 PM
    Moderator
  • Sorry, maybe my question was confusing.

    The first part has to do with the section of http://support.microsoft.com/kb/2465832 where it says the QFE fixes: "If you are not the administrator on a client computer, you cannot perform an end-user recovery of protected data on the client computer." (see http://scug.be/blogs/scdpm/archive/2011/03/11/getting-the-non-administrator-client-recovery-working-in-dpm-2010.aspx for more information)

    Essentially the examples show putting in Domain\Username in the field but I was wondering if its supported to use Domain\GroupName and have it still work.

     

    The second question wasn't really asking how to install the schema. At some point during my trial (where I didn't extend AD), I was able to see things listed under the "Previous versions" tab of a file's properties. However, that disappeared when I don't recall having changed anything except bringing my laptop back to my network.  Does anyone know why I could see these things when I hadn't extended the schema and now I cannot?

    Monday, October 10, 2011 9:30 PM
  • Hi Robdtec,

    I don't believe using an AD group is going to work.  DPM keeps track of users permissions who are allowed to access recovery points on the DPM server for that specific computer by reading the users in the registry key and adding them to the access control manager database. I don't believe the new DPM code was written to expand out users in an AD group.

    Previous versions tab is populated by "local shadow copies" on the laptop, and is not dependent on extending the schema for End User Recover of file server data.   If you have no previous versions, then check to see how much free space you have on your local drive, if there is not enough free space then local shadow copies cannot be maintained.   You can run "vssadmin list shadows" from administrative command prompt to see if you have any local shadow copies.   Local Shadow Copies should be created using the same scheduled time as recovery points on the DPM server.


    Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 10, 2011 10:43 PM
    Moderator