Creating a service account with restricted permissions

Best practice for your DATASTOR software installation and configuration is to run tasks with a service account.

In a domain environment, a group policy can be created to configure the service account as a member of the local Administrators group of each computer in the domain without making the account a member of the Domain Admins security group.

1) Create a "DATASTOR Service" user in Active Directory Users and Computers in the Users folder.
 


Use a strong password and check the box 'Password never expires'.


2. Create a "DATASTOR Service Group" security group in Active Directory Users and Computers in the Users folder.
 



3) Add the 'DATASTOR Service' user to the group. Double click the 'DATASTOR Service Group' group, click the Members tab, and Add the 'DATASTOR Service' user account. Then, click OK.
 



4) Create a new group policy to be applied to domain computers. Open 'Group Policy Management' in the 'Administrative tools' on your domain controller. Right click the domain by its name and select 'Create a GPO in this domain, and Link it here...'. Name the GPO 'DATASTOR Service GPO'.
 




5) Click on the 'DATASTOR Service GPO in the left pane, then right click it and select 'Edit'.  In the Group Policy Management Editor, expand "Computer Configuration” > “Policies” > “Windows Settings “ > “Security Settings” > “Restricted Groups”, then right click it and select 'Add Group'.


6) In the “Add Groups” window add the 'DATASTOR Service Group'. Once added, a properties window opens. Next to the bottom white box, click the Add... button. Add the 'Administrators' group and then repeat the process to add the Backup Operators group. Then click OK.
 


Note: To make the DATASTOR Service Group a member of Administrators and Backup Operators groups on client machines, make sure to use the bottom white box labeled "This group is a member of:'. 

Group Policy Management will now show the settings defined above on the Settings tab of the DATASTOR Service GPO.
 


7) Close all windows and wait for group policies to replicate to client machines or open a command prompt as administrator on the client machines and force replication with command gpupdate /force.


The service account can be used to log onto the server hosting the main administrative tool, Archive Manager and communicate with remote computers, create protection plans, modify schedules, view the event logs of the remote computer, or start or end the plan. Further, the 'DATASTOR service' account can be added to the Archive Manager properties > User account tab and stored in an encrypted format so Archive Manager uses these credentials without prompting the user for credentials.