How to configure the DPM Client to allow non-admin users to perform end-user recovery of DPM protected data - System Center: Data Protection Manager Engineering Team Blog - Site Home - TechNet Blogs

How to configure the DPM Client to allow non-admin users to perform end-user recovery of DPM protected data

How to configure the DPM Client to allow non-admin users to perform end-user recovery of DPM protected data

  • Comments 3
  • Likes

imageHi everyone, Marc Reynolds here and I wanted to take a minute and show you how to use a new feature that came with the March DPM hotfix rollup package that allows users that are not local administrators on a protected client to recover their protected data. Prior to this rollup hotfix, only a user that was explicitly a member of the local administrators group could recover protected data. This change is documented in Description of the hotfix rollup package for System Center Data Protection Manager 2010: March 2011:

The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user.

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtectionREG_SZ: ClientOwners
Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)

Follow the steps below to configure DPM recovery permissions for users that are not members of the local administrators group:

1. Log into the DPM protected client computer with a user account that is a member of the local administrators group

2. Open the registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection

3. Right click on the “ClientProtection” key and select New String Value

a. Name the new value “ClientOwners”

b. You can add a single user using the domain\user format or you can add multiple users using a comma separated list (make sure not to use any leading or trailing spaces in the list) as shown below:

clip_image002

c. Click “OK” to save the new ClientOwners value and the registry should now show the new “ClientOwners” value along with the users you have configured:

clip_image004

4. Close Registry Editor and you have completed the configuration. If you need to give more users recovery permissions at later time you can simply add the user account name to the ClientOwners list.

 

Testing the configuration to make sure users that can recover their protected data:

1. Log on as a user that is not a member of the local administrators group and has been given permissions to recover DPM protected data in the steps above.

2. Open DPM client

3. From the Summary tab, click “Sync now”

clip_image006

4. You can either wait for a scheduled recovery point job to run or, if you are a DPM administrator you can log in to the DPM server and manually trigger a recovery point for the client. As you can see in the screenshot above recovery point jobs for my client will kick off at 8:00a, 12:00p and 6:00p.

5. On client still logged in as non admin user click the Recovery tab and then click the search icon

clip_image007

Note: If no recovery points have been created since the user was configured for client recovery permissions the user will get the error below:

clip_image008

6. Expand the computer by clicking the “+” on the left to see the available recovery points

clip_image010

7. Click “Open” and Explorer will open to the recovery point volume. Double click on the folder containing the files you would like to recover. In this case I select the c-vol folder:

clip_image012

8. Open the users folder:

clip_image014

9. The user can now see a list of user folders available and open their folder.

clip_image016

10. Select the folder belonging to the user attempting to recover DPM protected data:

clip_image018

11. Open the folder containing the file(s) needing to be recovered. In this case the file I want to recover is in the Desktop folder:

clip_image020

12. Now I can recover my file “newfile.txt”. I can chose to copy it to the desktop to replace the current file on the desktop, I can rename it and place it on the desktop or I can copy the file to another location and preserve both the file currently on the desktop and the recovered file.

Note: A user will not be able to recover any files except those in his/her own folder. If they try to open or recover files from another user they will receive an error like this:

clip_image022

Enjoy!

Marc Reynolds | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Is there anyway to automate this task, e.g. using a variable like %username% to pick up on the credentials of the currently logged in user? Rather than having to add the specific credentials to lots of specific machines. Thanks.