There are two parts to the backup solution. The first only requires backup operator rights and does normal system level backups.restores and non AD level file recovery. No issues there.
The additonal rights come from their method of dealing with AD and restoring individual objects in AD. Basically, as I understand it (and has been discussed on this great list before), when an object is deleted it is stripped of most of it's attributes and placed in a hidden deleted items folder. The application in order to restore an object keeps a database of the attributes and when restoring takes the items out of that area and puts back on the stripped out information. At least that's how I understand it. Could be wrong as am still looking at it. So. In order to do the second part, it needs lots of rights which is a question which should have been asked before hand. Right now we're trying to get them to tell us exactly what has to have permissions and the answer remains "domain admins" or something real close to it which they have not been able to define very well. I'm not even real sure if these permissions they are saying is enough. I really think the only way they've tested it is under domain admin rights and there may be reasons in AD that require that.... Steve On Wed, 4 Aug 2004 15:06:48 -0400 , Mulnick, Al <[EMAIL PROTECTED]> wrote: > Seems that's not so easy as to find an easy vbscript for it. Found some c++ > for it but that doesn't sound like what you want :) How many OU's do you > have? > > Also, what POS backup system are you deploying? I'd like stay as far away > from that company as I possibly can. And since you have the rights to > remove these settings, you probably also know the reason they were set in > the first place. Seems strange that you can so easily remove those rights > though. > > Al > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Sent: Tuesday, August 03, 2004 6:07 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Changing permissions in AD > > Question: A particular backup solution requires one of the following > rights: Either grant it full domain admin rights over the entire domain, or > grant it read, write, and create objects in the entire domain. (which is > pretty close to domain admin) > > If I use Delegation or manually add the rights at the domain level > everything works as expected. All objects receive the rights except those > OU's/Objects which explicitly have inherit permissions denied. > > Is there an easy to over write the deny inheritance setting? Or is there a > utility that I could use to do this with? > > I can go though ADUC and grant the rights manually, but I would rather have > an automated solution for this problem. > > I would expect that this is a common request rather than just giving up full > domain admin rights and I"m looking for a better, smarter way of dealing > with it. > > Thanks > > Steve > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
