How to make domain user for backup be part of backup operators group on one client?

Solution 1:

Yes - it is well known and by design that the domain's "Backup Operators" group is not the same as each machine's "Backup Operators" group. Just as the domain's "Administrators" group or "Remote Desktop Users" group does not automatically "sync" with the correlated local groups. They are objects with the same name existing in separate scopes.

"Backup Operators" is a built-in local group on all machines. As Domain Controllers don't really have local groups, the BUILTIN\Backup Operators group that is in the domain is effectively the "local" Backup Operators group for all Domain Controllers. In fact, all groups in the "BuiltIn" container are essentially the original local groups that existed on the first domain controller in the forest when it was first promoted. The Default Value in the linked article is referring to the local groups that have the stated User Right out of the box.

I would reconsider your current approach. What you have effectively achieved with numerous accounts in the domain's backup operators group (because of their backup privileges) is exponentially widen the attack vector against your domain and sensitive data; each of these accounts (whose passwords are now stored all over your network) have the ability to remotely connect to a domain controller, perform a backup (obtain a copy of ntds.dit for offline analysis and cracking) and restore your Active Directory - or possibly a corrupted or compromised copy.

I would recommend removing these accounts from the domain group immediately.

One to achieve something along the lines of what you're looking for is:

  1. Create a new security group "local-backup-operators" or something
  2. Add the backup user to this new domain group
  3. Use a GPO (Restricted Groups) or GP Preference that ensures that "local-backup-operators" is a member of the local "Backup Operators" group on each machine.

How to more easily achieve this with a dedicated user account per-machine (my take on it).

  1. Create a user for each computer you wish to backup - call it what you want but for this example on SERVER01, create a user "DOMAIN\bkp_SERVER01"
  2. Create a "Local Users and Groups" Group Policy Preference Item in a new or existing Group Policy.
  3. Action: Update; Group: Backup Operators; Members: Add - "bkp_%ComputerName% (literally, use the environment variable)
  4. Profit. Group Policy will expand the variable at runtime and search for a user/group matching that name and add the principal to the local backup operators group.

Caveat: You will get warning events generated in the logs on machines if the named account doesn't exist. Either exclude those machines from the GPO, or just deal with the events.

Sample:

enter image description here