add-circle-bold add-circle add-square add alarm-bell-1 alert-diamond analytics-pie-2 archive archive arrow-down-1 arrow-down-2 arrow-left-1 arrow-right-1 arrow-up-1 attachment-1 bin-paper-1 book-star button-record check-1 check-circle-1 close close-quote close cog-1 cog common-file-stack copy-paste credit-card-1 diagram-fall-down disable time-clock-midnight download-thick-bottom drawer-send envelope-letter envelope-letter expand-6 expand-6 file-code filter-1 floppy-disk flying-insect-honey folder-file-1 headphones-customer-support hierarchy-9 hyperlink-2 information-circle keyboard-arrow-down keyboard-arrow-up layout-module-1 list-bullets lock-2 lock-unlock-1 love-it messages-bubble-square move-to-top multiple-circle multiple-neutral-1 multiple-users-1 navigation-menu-horizontal navigation-menu network-browser open-quote pencil-1 pencil-write pencil-1 print-text rating-star rating-star remove-circle remove-square-1 search send-email-1 shield-warning single-neutral-actions single-neutral smiley-sad-1 smiley-unhappy smiley-indifferent smiley-smile-1_1 smiley-happy smiley-sad-1 smiley-unhappy smiley-indifferent smiley-happy smiley-thrilled social-media-twitter synchronize-arrows-1 tags-double ticket-1 ticket-1 time-clock-circle undo view-1 view-off view wench

Creating a service account with restricted permissions

Best practice for your DATASTOR software installation and configuration is to run tasks with a service account.

In a domain environment, a group policy can be created to configure the service account as a member of the local Administrators group of each computer in the domain without making the account a member of the Domain Admins security group.

1) Create a "DATASTOR Service" user in Active Directory Users and Computers in the Users folder.

Use a strong password and check the box 'Password never expires'.

2. Create a "DATASTOR Service Group" security group in Active Directory Users and Computers in the Users folder.

3) Add the 'DATASTOR Service' user to the group. Double click the 'DATASTOR Service Group' group, click the Members tab, and Add the 'DATASTOR Service' user account. Then, click OK.

4) Create a new group policy to be applied to domain computers. Open 'Group Policy Management' in the 'Administrative tools' on your domain controller. Right click the domain by its name and select 'Create a GPO in this domain, and Link it here...'. Name the GPO 'DATASTOR Service GPO'.

5) Click on the 'DATASTOR Service GPO in the left pane, then right click it and select 'Edit'.  In the Group Policy Management Editor, expand "Computer Configuration” > “Policies” > “Windows Settings “ > “Security Settings” > “Restricted Groups”, then right click it and select 'Add Group'.

6) In the “Add Groups” window add the 'DATASTOR Service Group'. Once added, a properties window opens. Next to the bottom white box, click the Add... button. Add the 'Administrators' group and then repeat the process to add the Backup Operators group. Then click OK.

Note: To make the DATASTOR Service Group a member of Administrators and Backup Operators groups on client machines, make sure to use the bottom white box labeled "This group is a member of:'. 

Group Policy Management will now show the settings defined above on the Settings tab of the DATASTOR Service GPO.

7) Close all windows and wait for group policies to replicate to client machines or open a command prompt as administrator on the client machines and force replication with command gpupdate /force.

The service account can be used to log onto the server hosting the main administrative tool, Archive Manager and communicate with remote computers, create protection plans, modify schedules, view the event logs of the remote computer, or start or end the plan. Further, the 'DATASTOR service' account can be added to the Archive Manager properties > User account tab and stored in an encrypted format so Archive Manager uses these credentials without prompting the user for credentials.