I have a full drive to move to another partition. The problem is that the design was poorly funded and now, we have to deal with lots and lots of different users accessing via SMB and applying their own permissions on their folders. In order to backup, I see robocopy has a /b switch, which uses the backup mode. AFAIK: Backup mode applies to those users who have the setting "enabled" when they run "whoami /priv" on the SeBackupPrivilege and SeRestorePrivilege settings. I've been trying to modify my user's setting via GPO but it does not seem to sort any effect! Can anyone shed some light on this issue? Truth is that ever since I started using the /b switch, the backup seems to run better and does not give me so many access errors (it actually does not output any)
-
1`Backup mode applies to those users who have the setting "enabled" when they run "whoami /priv" on the SeBackupPrivilege and SeRestorePrivilege settings.` No. Those privileges are always disabled by default. They are enabled by the applications that use them when needed (robocopy in this example). – Greg Askew Jun 04 '19 at 15:56
1 Answers
In order to allow robocopy to use backup privilege, you must be an administrator (or see below) and you must run robocopy from an elevated command line window.
To open an elevated command line window, type cmd in the Start Menu and then press SHIFT-CONTROL-ENTER instead of just ENTER, or choose the "Run as administrator" option. Depending on how Windows is configured, you may be prompted to confirm that you want to proceed, or you may need to re-enter your account details.
If you are an administrator, you automatically have backup and restore privileges, unless your system configuration has been changed in an unusual way.
It is possible to explicitly grant a user account just backup and restore privilege rather than full administrator privilege. Traditionally, nobody bothers, because backup and restore privilege is "equivalent" to administrator privilege, in that a malicious user could easily leverage backup and restore privilege to obtain administrator access. (There may be some marginal security benefit in that a virus might not be programmed to take advantage of this situation, but generally speaking it isn't worth it IMO. Just have a separate admin account and use it when you need to perform this sort of operation.)
If you choose to do it this way, however, you must still open an elevated command window in order to take advantage of the privileges. In this scenario, you will always be prompted for a username and password.
You can confirm that this has worked using the whoami /priv command as mentioned in the question, but you should ignore the State column. If SeBackupPrivilege and SeRestorePrivilege appear in the list of privileges, then they are available to the robocopy command even if the State is shown as Disabled. Robocopy will enable the privileges automatically when you use the /b option. If you do not have the privileges, they will not appear on the list at all.
- 5,875
- 4
- 35
- 52
-
If it's not clear from the above, one of the things you have to watch out is user rights vs. whether the privilege is currently enabled within a process. Some privileges can be available but not enabled by default during process creation. Robocopy presumably adjusts the token as needed within available rights. Other tools may omit this step and rely on something else to pre-enable. This is also a worthwhile security auditing topic: attempting an operation and failing isn't enough to ensure you don't have the underlying right... (See also: impersonation and reverting to self...) – Matthew Wetmore Jun 05 '19 at 04:03