How to make domain user for backup be part of backup operators group on one client?

active-directory windows-server-2019

Solution 1:

Yes - it is well known and by design that the domain's "Backup Operators" group is not the same as each machine's "Backup Operators" group. Just as the domain's "Administrators" group or "Remote Desktop Users" group does not automatically "sync" with the correlated local groups. They are objects with the same name existing in separate scopes.

"Backup Operators" is a built-in local group on all machines. As Domain Controllers don't really have local groups, the BUILTIN\Backup Operators group that is in the domain is effectively the "local" Backup Operators group for all Domain Controllers. In fact, all groups in the "BuiltIn" container are essentially the original local groups that existed on the first domain controller in the forest when it was first promoted. The Default Value in the linked article is referring to the local groups that have the stated User Right out of the box.

I would reconsider your current approach. What you have effectively achieved with numerous accounts in the domain's backup operators group (because of their backup privileges) is exponentially widen the attack vector against your domain and sensitive data; each of these accounts (whose passwords are now stored all over your network) have the ability to remotely connect to a domain controller, perform a backup (obtain a copy of ntds.dit for offline analysis and cracking) and restore your Active Directory - or possibly a corrupted or compromised copy.

I would recommend removing these accounts from the domain group immediately.

One to achieve something along the lines of what you're looking for is:

  1. Create a new security group "local-backup-operators" or something
  2. Add the backup user to this new domain group
  3. Use a GPO (Restricted Groups) or GP Preference that ensures that "local-backup-operators" is a member of the local "Backup Operators" group on each machine.

How to more easily achieve this with a dedicated user account per-machine (my take on it).

  1. Create a user for each computer you wish to backup - call it what you want but for this example on SERVER01, create a user "DOMAIN\bkp_SERVER01"
  2. Create a "Local Users and Groups" Group Policy Preference Item in a new or existing Group Policy.
  3. Action: Update; Group: Backup Operators; Members: Add - "bkp_%ComputerName% (literally, use the environment variable)
  4. Profit. Group Policy will expand the variable at runtime and search for a user/group matching that name and add the principal to the local backup operators group.

Caveat: You will get warning events generated in the logs on machines if the named account doesn't exist. Either exclude those machines from the GPO, or just deal with the events.

Sample:

enter image description here

Related

Is AWS Lifecycle Manager the recommended way to back up root EBS drives?
How to configure NGINX to route external request to my stage and production docker hosts
Clarification on certificate bundle vs certificate chain
Correct way to show only TCP packets in wireshark
Openvpn: Subnets for different groups - Destination host unreachable
Trouble Configuring Subdomain on Digital Ocean
nsjail process does not have network access
domain CNAME to subdomain [duplicate]
Issue with LSI SAS2116 - no drives being detected on Fedora 32 kernel 5.8.*
Are dot matrix printers still used anywhere?
nfs server on linux with windows 10 client [closed]
Reliable transfer protocol designed for a known static bottleneck size and high packet loss?