BackupExec Service Account Security FAIL

Yes. It actually says that if the BackupExec account is a member of Schema Admins, do not remove!
To be fair, it starts off with this Solution which covers the rights required:
From Symantec (

Please note :The backup account used as the default account and the account used to start the Backup Exec Services must be a member on the following Group Policy objects :

  • Act as part of the operating system
  • Create a token object (which can be used to access any local resources)
  • Log on as a service
  • Log on as a batch job (allows a user to be logged on by means of a batch-queue facility)
  • Backup files and directories (provides rights to backup files and directories)
  • Restore files and directories (provides rights to restore files and directories)
  • Manage auditing and security log
  • Take ownership of files and other objects
For more information on any of the above User Rights Assignment, please refer to the link below:
b. If a new account is desired, select New | User, and enter all the appropriate settings such as the account name and password. Click Next twice, and then click Finish. To configure the existing account, locate that account and continue to step c.

c. Open the Users folder, right-click the user, and click Properties
d. Click on the Member Of tab, confirm/add the Administrators

e. If Domain Admins is not the primary group, select Domain Admins and click Set Primary Group
f. Ensure that all other groups besides Administrators, Domain Admins, such as Domain Users are removed. Do not remove Schema Admins or Enterprise Admins (if listed)
g. The account should also have the Log on as a service right. For detailed instructions on granting this user right, see the Related Documents section
2. Go to Control Panel | Administrative Tools | Services
3. Stop all Backup Exec services
4. Enter the correct forest level Backup Exec service account name and password for all Backup Exec services
5. Restart all Backup Exec services
6. After resetting services, open Backup Exec and run a test backup of a remote System State and monitor for success.
Note: If access is not needed at the forest level, the account should be created on the domain controller of the highest level domain requiring backups from the Backup Exec server in question.
Created: 2009-01-29  Updated: 2013-04-24
(Visited 1,264 times, 1 visits today)