Setting up System Center Data Protection Manager 2010 I feel like a kid on Christmas morning! So many new features and “toys” to play with. I don’t know what to open first. Since it is something that can affect all the users here, I think I will unwrap client protection first. (Don’t you just love the sound of the wrapping paper being ripped off?)
After looking into this, it seems like most of it is pretty clear and easy to set up. When a client is protected, the end user gets a UI and based on the configuration of the DPM administrator, the client has some new options for their desktop/laptop protection.
What threw me off was allowing users to restore their own files. It seemed so easy to set up, but I missed something. I had some clients who were not seeing their recovery points in my lab so I had to dig in deeper to find out what I had missed.
I walked through the DPM side setup again and everything looked to be fine. The clients were protected. I decided to just protect the c:\corpfiles folder that all of our clients use for company data. In this case, I didn’t think that they should be able to add anything more to that, so I unchecked the box to allow users to specify protection and finally wanted to be sure that Joanna in accounting didn’t get her mp3 files backed up when she accidentally saved them to the corpfiles directory.
Logging onto the client laptop with my domain administrator account, I found the fancy new icon in the system tray. When I clicked on it, it allowed me to open the client UI tool for DPM. Very cool!
I made sure to force a recovery point in DPM (that was just the same as protecting a server, nothing new to learn there). I now was connected, but it said I didn’t have any recovery points. This confused me as I could see on the DPM server that there was at least one recovery point. Yet the message persisted:
DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.
As I read about this, I thought I would double check that I was an admin and of course using the domain administrator account, I was automatically a member of the local administrators group on all machines. I then thought about it. Since I am in the group which makes me an administrator on every machine, this list would be huge. So I figured I would try to add my specific account to the administrator group on the local clients.
I went back to the DPM server and created a new recovery point. Just to be safe, I gave it some time and then back to the laptop and logged in again with my administrator account (contoso\cbutch). This time, when I opened the recovery tab, I was greeted with the recovery point I had just made. I clicked on Open and it allowed me to see the CorpFiles directory and all my files from the recovery point I chose.
So, as long as the user who needs to recover using this tool is explicitly listed in the local administrators group, then the recovery points made while in that group will be available. What a great new toy! My users are going to love it and I’m going to love taking that workload off my plate.
Chris Butcher | Senior System Center Support Escalation Engineer
Am I misunderstanding something here or does this mean that users now have to have local admin rights to their computers ... something we've been trying to move users away from?
Are they not able to restore their own files without needing admin rights?
Umm... yeah that's what it sounds like. Two big steps backward?!
Can someone please clarify this? Requiring that a user be a local administrator so that his/her files can be backed up or recovered makes no sense at all.
Could someone please clarify on the need to be a local admin? This is out of the question for 99.9% of our end-users.
I am running DPM 2012 and think that, unless there is a more meaningful fix somewhere out there that i am not aware of, requiring a user to be a local administrator is absolutely unnecessary.This problem is further compounded by the fact that a Domain Administrator like myself is still unable to recover files and encounters the data recovery error.Microsoft needs to remove this requirement asap lest we abandon this application!