Microsoft Windows domain account prerequisites required to use the Data Protection for VMware file restore interface

Answer

Tip: The product now known as IBM Spectrum Protect™ was named IBM Tivoli® Storage Manager in releases earlier than Version 7.1.3. To learn more about the rebranding transition, see technote 1963634.

Note: This information supersedes the 7.1.6, 8.1.0, and 8.1.2 information documented in the IBM Knowledge Center topic File restore prerequisites.

The prerequisites that are documented here are for the mount proxy. The mount proxy system represents the Linux or Windows proxy system that accesses the mounted virtual machine disks through an iSCSI connection. This system enables the file systems on the mounted virtual machine disks to be accessible as restore points to the IBM Spectrum Protect file restore interface.

A user account that belongs to a Windows domain and is also a local administrator on the mount proxy system is required to perform the necessary tasks to enable file recovery to a virtual machine guest. An administrator with this account enters the account credentials in the Data Protection for VMware vSphere GUI configuration wizard or notebook to enable the environment for file restore operations.

To create a user account with sufficient privileges to use the file restore interface, you can use the Windows Group Policy object to centrally manage a single domain user, allow it to access multiple machines with local administrator credentials, and optionally restrict undesirable actions.

The following steps illustrate how this user account can be created. Complete these steps on a domain controller by using the Active Directory Users and Computers MMC snap-in:

1. Create a new security group called "FR Admins":
• Select Action->New->Groups and create a new security group named "FR Admins".
• The group scope should be set to Global.
2. Create a new domain user account with the user name "fradmin1" and add it to the "FR Admins" security group. (You can also add other domain user accounts to the group.)
3. To provide more control over the set of computers that "fradmin1" can access, create a new organizational unit named "FR Computers" and place a few computers in it:
• From the domain object, select New->Organizational Unit.

Complete the following steps on the domain controller from the Group Policy MMC snap-in:

1. Create a new Group Policy object named "FR Admin GPO", which will add the administrators in the "FR Admins" group to the local administrator group of the computers associated with the organizational unit that the Group Policy object is applied to:
• In the Group Policy object, set it to add the account to both the local administrator group and optionally to remote desktop users.
• Select the "FR Computers" organizational unit and add the newly created Group Policy object. Note that the Group Policy object could have been associated with the domain itself, but then "fradmin1" would be in the local administrator group of all computers in the domain. Using an explicit organization unit provides additional control.
2. Optionally use Group Policy Management to restrict undesirable actions on the local machine such as "Deny log on locally", "Deny log on through Terminal Services", etc.

On the File Restore page of the Data Protection for VMware vSphere GUI configuration wizard or notebook, update the settings to use the domain\fradmin1 account that was created in the steps above. (You can ignore the fact that the page instructs the user to enter a "Windows Domain Administrator ID").

Finally, restart the mount proxy client access daemon (CAD) service.