time-clock-circle multiple-users-1 bin-paper-1 smiley-indifferent view-off alert-diamond envelope-letter rating-star network-browser pencil-write ticket-1 button-record headphones-customer-support close synchronize-arrows-1 common-file-stack close-quote arrow-down-2 multiple-circle attachment-1 folder-file-1 disable smiley-indifferent shield-warning love-it smiley-smile-1_1 check-circle-1 time-clock-midnight floppy-disk view smiley-unhappy book-star lock-unlock-1 arrow-right-1 archive smiley-unhappy send-email-1 hierarchy-9 open-quote add-circle-bold search remove-circle cog-1 filter-1 hyperlink-2 analytics-pie-2 flying-insect-honey navigation-menu-horizontal pencil-1 smiley-thrilled check-1 arrow-up-1 lock-2 navigation-menu add layout-module-1 archive arrow-left-1 wench arrow-down-1 multiple-neutral-1 expand-6 close drawer-send alarm-bell-1 social-media-twitter keyboard-arrow-up ticket-1 copy-paste rating-star download-thick-bottom information-circle smiley-sad-1 single-neutral-actions remove-square-1 file-code pencil-1 keyboard-arrow-down smiley-sad-1 cog single-neutral add-circle move-to-top list-bullets expand-6 undo tags-double smiley-happy view-1 messages-bubble-square print-text add-square smiley-happy credit-card-1 envelope-letter diagram-fall-down

Creating a service account with restricted permissions

Best practice for your DATASTOR software installation and configuration is to run tasks with a service account.

In a domain environment, a group policy can be created to configure the service account as a member of the local Administrators group of each computer in the domain without making the account a member of the Domain Admins security group.

1) Create a "DATASTOR Service" user in Active Directory Users and Computers in the Users folder.

Use a strong password and check the box 'Password never expires'.

2. Create a "DATASTOR Service Group" security group in Active Directory Users and Computers in the Users folder.

3) Add the 'DATASTOR Service' user to the group. Double click the 'DATASTOR Service Group' group, click the Members tab, and Add the 'DATASTOR Service' user account. Then, click OK.

4) Create a new group policy to be applied to domain computers. Open 'Group Policy Management' in the 'Administrative tools' on your domain controller. Right click the domain by its name and select 'Create a GPO in this domain, and Link it here...'. Name the GPO 'DATASTOR Service GPO'.

5) Click on the 'DATASTOR Service GPO in the left pane, then right click it and select 'Edit'.  In the Group Policy Management Editor, expand "Computer Configuration” > “Policies” > “Windows Settings “ > “Security Settings” > “Restricted Groups”, then right click it and select 'Add Group'.

6) In the “Add Groups” window add the 'DATASTOR Service Group'. Once added, a properties window opens. Next to the bottom white box, click the Add... button. Add the 'Administrators' group and then repeat the process to add the Backup Operators group. Then click OK.

Note: To make the DATASTOR Service Group a member of Administrators and Backup Operators groups on client machines, make sure to use the bottom white box labeled "This group is a member of:'. 

Group Policy Management will now show the settings defined above on the Settings tab of the DATASTOR Service GPO.

7) Close all windows and wait for group policies to replicate to client machines or open a command prompt as administrator on the client machines and force replication with command gpupdate /force.

The service account can be used to log onto the server hosting the main administrative tool, Archive Manager and communicate with remote computers, create protection plans, modify schedules, view the event logs of the remote computer, or start or end the plan. Further, the 'DATASTOR service' account can be added to the Archive Manager properties > User account tab and stored in an encrypted format so Archive Manager uses these credentials without prompting the user for credentials.