|T O P I C R E V I E W
||Posted - 04/20/2012 : 11:23:16 AM
I posted this question in the DPM forum. But I thought I would post it here as well, since it's really an AD question.
I've been working for several days to find a solution to a problem with DPM. I finally stumbled across something at social.technet.microsoft.com that has fixed the problem. I put the computer account of our DPM server into the Domain Admins group. (Our AD is 2008 R2, raised to the highest functional level.)
It's not clear to me why this fixed the problem. More important, are there bad things that could happen as a result of putting a server's computer account into the Domain Admins group?
|5 L A T E S T R E P L I E S (Newest First)
||Posted - 04/26/2012 : 10:29:25 AM
I finally got a chance to test out putting the DPM server computer account into the local admin group on the problematic XP workstation. It worked! Good idea you had. I should have thought of that myself. Thanks.
||Posted - 04/21/2012 : 07:39:30 AM
See if adding the computer account to the XP's local admins group helps in stead. Am curious.
||Posted - 04/20/2012 : 2:11:16 PM
Here's the link: http://social.technet.microsoft.com/Forums/en-US/dataprotectionmanager/thread/132dff35-1471-453c-bf4f-904d297d43aa/
Oddly, I've installed the DPM client on a number of computers--both Windows 7 and XP--without any trouble. Just this one has given me problems.
||Posted - 04/20/2012 : 2:01:12 PM
> It's not clear to me why this fixed the problem.
Looks like the DPM computer account needs local admin permissions on XP. Putting the account in D.A. is one way of accomplishing this.
> More important, are there bad things that could happen as a result of putting a server's computer account into the Domain Admins group
It means that anyone controlling DPM and/or the server has Domain Admins permissions, or can get them when he/she wants. Doesn't sound good to me...
||Posted - 04/20/2012 : 1:56:15 PM
I suppose that if someone clever could manage to run a script using the credentials of that computer, they would have a lot of power (same rights as a domain admin). I'm not sure how or if that could be practically exploited.
Could youprovide the technet link?