戻る
-
タイトル
Minimum permissions required by RMAD Portal -
説明
- Proper minimum permissions for the service account running the RMAD Portal Service
- Permissions for "accessing the computer using" (Recovery Manager Portal, Configuration tab, Recovery Manager for Active Directory Instances section) when adding an RMAD instance
- Permissions for "accessing domain using" (Recovery Manager Portal, Configuration tab, Active Directory Domains section) when adding new AD domain. Pros/Cons for using default permissions versus alternate credentials
- Purpose for "Grant restore rights to all domain admins" checkbox (Recovery Manager Portal, Configuration tab, Active Directory Domains section - when adding a new Active Directory domain) when using explicit delegation
- Where are the settings saved?
- When using RMAD portal groups created on the local RMAD server during RMAD portal installation, how does the delegation hyperlink compliment the group membership - specifically when the target user is a member of the "Recovery Manager Portal - Configuration Admins" and "Recovery Manager Portal - Recovery Operators"?
-
対策
- This account should be member of "Domain Users" and local "Administrators" groups. If using this account to access SQL server database then you should run the installer under this account. Also, refer to KB article 128726 (https://support.quest.com/recovery-manager-for-ad/kb/128726). This account is used to run "RecoveryManagerPortal" IIS application pool and "RecoveryMgrPortal" service, it must be the same account in both cases. Under this account RecoveryMgrPortal service reads AD schema and configuration
- This account should be member of local "Administrators" groups. It’s used to authorize communication between RecoveryMgrPortal and RecoveryMgrPortalAccess service
- This account is used to access Default Naming Context of particular domain, perform search and restore operations. So required permissions are identical to permissions mentioned in "Perform a selective online restore of Active Directory objects" section of documentation. If the Portal is using the Default Portal setting of using Agent based restores (Use agentless is not selected) the account needs to have Administrator rights on the DCs (either a member of Domain Admins or the Built-in Administrators group). The option "Recovery Manager for Active Directory instance's credentials" can be configured to local administrator account and therefore has no access to domain
- This checkbox allows do not configure delegation for members of "Domain Admins" group. In other words member of "Domain Admins" group can restore any object in entire domain. For other users delegation should be configured if needed
- Delegation configuration is stored in SQL database named DelegationStore
- All four local security groups manage availability of corresponding UI element of Portal. So when user logs in to portal he can see only allowed UI elements: Configuration tab, Monitoring tab, Undelete object button or Recovery object button. When user select objects and start Restore or Undelete operation then all select objects examined that current user has delegation to restore/undelete objects in this object container