none
DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery? RRS feed

  • Question

  • On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.

    Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.

    This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.

    One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable practice.

    Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.

    Please help.

    Thanks,

    Friday, June 22, 2012 8:42 PM

Answers

  • Hi,

    You only need to add the registry entries on the client machines same as on DPM 2010.  The DPM 2012 DPMRA Agent should still honor the keys.  I agree we need to ADD the following to the DPM 2012 technet tree. 

    <snip>
    The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user. 

    Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection
    REG_SZ: ClientOwners
    Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)
    >snip<

    In the meantime, leverage the following blog:

    http://blogs.technet.com/b/dpm/archive/2011/05/10/how-to-configure-the-dpm-client-to-allow-non-admin-users-to-perform-end-user-recovery-of-dpm-protected-data.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Sunday, June 24, 2012 6:23 PM
    Moderator

All replies

  • Hi Sam,

    This issue was not resolved in 2012. I agree with you on not applying the hotfix for 2010 on a 2012 server. Can anyone from MS chime in and let us know if there will be a hotfix to correct this in 2012?


    My Blog | www.buchatech.com | www.dpm2010.com

    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Sunday, June 24, 2012 3:14 AM
    Moderator
  • Hi,

    You only need to add the registry entries on the client machines same as on DPM 2010.  The DPM 2012 DPMRA Agent should still honor the keys.  I agree we need to ADD the following to the DPM 2012 technet tree. 

    <snip>
    The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user. 

    Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection
    REG_SZ: ClientOwners
    Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)
    >snip<

    In the meantime, leverage the following blog:

    http://blogs.technet.com/b/dpm/archive/2011/05/10/how-to-configure-the-dpm-client-to-allow-non-admin-users-to-perform-end-user-recovery-of-dpm-protected-data.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Sunday, June 24, 2012 6:23 PM
    Moderator
  • Hi,

    You only need to add the registry entries on the client machines same as on DPM 2010.  The DPM 2012 DPMRA Agent should still honor the keys.  I agree we need to ADD the following to the DPM 2012 technet tree. 

    <snip>
    The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user. 

    Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection
    REG_SZ: ClientOwners
    Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)
    >snip<

    In the meantime, leverage the following blog:

    http://blogs.technet.com/b/dpm/archive/2011/05/10/how-to-configure-the-dpm-client-to-allow-non-admin-users-to-perform-end-user-recovery-of-dpm-protected-data.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Hi Mike,

    Is there a way to set the "Value: Names of non-admin users." to a domain group vs individual domain users?


    My Blog | www.buchatech.com | www.dpm2010.com

    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Sunday, June 24, 2012 6:49 PM
    Moderator
  • Hi,

    To the best of my knowledge, it's user specific.  But you can make a EUR.reg file as follows and add all the users at once.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent]
    "ClientProtection"="Domain\\Username1,Domain\\Username2"


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, June 25, 2012 5:39 PM
    Moderator
  • Hi,

    To the best of my knowledge, it's user specific.  But you can make a EUR.reg file as follows and add all the users at once.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent]
    "ClientProtection"="Domain\\Username1,Domain\\Username2"


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Hi Mike,

    Thanks for the response. This is what I had in mind and the reason behind that question. In an enterprise environment with thousands of users/clients adding all users to the file may not be the best option. It would make more sense to put in a user group such as "domainname\domain users" and push the registry entry out to the client computers globally using SCCM or group policy. If you are rolling out client protection chances are you want to protect all clients on the network. Are there any plans to update this in future updates to DPM?


    My Blog | www.buchatech.com | www.dpm2010.com

    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!



    Tuesday, June 26, 2012 3:17 AM
    Moderator
  • Hi,

    I'm not aware of any enhancements in this area.  However, I'm not sure you would want all users to be able to recover data from all workstations in the entire enterprise.  Most users work from a single machine, and thus only a single entry would need to be added.  I can see shift workers sharing a single machine and allowing all users that share the machine to do eur recovies, but again, that would still be a small number of users per machine. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 26, 2012 3:48 AM
    Moderator
  • We do want all of our users to be able to restore their own files.  Sorry, but our schools have both teachers and students jumping from machine to machine up to 7 times per day as they move from class to class.  Only a few office staff are stable at there machines and with the exception of a few office staff with old programs that require admin permissions, no one is a local admin.

    This make EUR entirely unusable if we have to manually maintain either individual registries on each computer or a Group Policy preference registry entry with a list of individual users.  Either way we would be constantly updating something.  This would be more work than just restoring the backup for the user by hand.

    Wednesday, October 24, 2012 7:35 PM
  • Hi,

    OK then make a dedicated user called "recovery" with a strong password that cannot be changed and add that single username to the registry in all student machines.  That way all students can logon on as the user "recovery" and perform restores from any machine. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, October 24, 2012 10:29 PM
    Moderator
  • Wouldn't that "recovery" account need blanket read access to the dpm share?
    Thursday, October 25, 2012 3:03 PM
  • Hi,

    Each user account in the registry is given permissions to the recovery point at the time of creation.  So when a user performs an EUR the list of machines that have recovery point he has permissions to are listed. Once they select the machine, they can double-click on the recovery point time they need to copy files from and DPM will mount that recovery point on the DPM server and share it out at that time and give that user read permissions.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 25, 2012 3:10 PM
    Moderator
  • I knew that much but doesn't elevating it with a different account change who is actaully trying to access that file?

    When I run GPResult on an elevated command prompt it doesn't return the student's GP but the admin's instead.  Would this not function similarly?

    Thursday, October 25, 2012 3:43 PM
  • Hi,

    Don't know anything about gpresult, so can't comment.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 25, 2012 4:27 PM
    Moderator
  • You could eventually create an "Expandable String Value" key (REG_EXPAND_SZ) and use Environment Variables such as %USERDOMAIN%\%USERNAME% if you are looking for a generic solution to be deployed via GPO.

    Haven't tested on DPM 2010, but seems to work fine on DPM 2012 SP1.

    Thursday, September 5, 2013 3:29 PM
  • This is a hands off solution to allow all users that use a machine to be able to restore their own files.


    1) Make these two cmd files and save them in c:\temp
    2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.

    <addperms.cmd>
    Cmd.exe /v /c c:\temp\addreg.cmd


    <addreg.cmd>
    set users=
    echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
    FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
    echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
    REG IMPORT c:\temp\perms.reg
    Del c:\temp\perms.reg


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 5, 2013 4:18 PM
    Moderator
  • This is a hands off solution to allow all users that use a machine to be able to restore their own files.


    1) Make these two cmd files and save them in c:\temp
    2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.

    <addperms.cmd>
    Cmd.exe /v /c c:\temp\addreg.cmd


    <addreg.cmd>
    set users=
    echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
    FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
    echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
    REG IMPORT c:\temp\perms.reg
    Del c:\temp\perms.reg


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    That's a good one! Thanks for that.

    I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)

    ========================================================================

    $RC=setoption("WOW64AlternateRegView","on") 
    $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"

    $uservariable = "%userdomain%\%username%"

    If KeyExist ($DPMkey)

    $Userstring=ReadValue($DPMkey, "ClientOwners")

    If $Userstring == ""
    WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
    ? "Key created"
    else

    If not instr($Userstring,$uservariable)
    $Userstring = "$Userstring,$uservariable"
    WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
    EndIf
    Endif
    EndIf

    ==========================================================================

    The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.


    In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:

    =========================================================

    $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")

    =========================================================

    The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

    • Edited by The Cuq Friday, September 6, 2013 4:12 PM Adding a note.
    Friday, September 6, 2013 3:44 PM
  • Same question but about DPM 2012 R2.

    Why user, who selected some folders to backup can't restore them later? I don't want to give users local admins rights.

    Thursday, February 13, 2014 11:20 AM
  • Hi,

    Same answer, add the user to the registry as described above. That is not the same as making them a local administrator.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, February 13, 2014 2:06 PM
    Moderator