Thursday, July 19, 2018

Backup Operators may not be able to create shadow copies

Yesterday I learned that SeBackupPrivilege and SeRestorePrivilege are not sufficient to create a volume shadow copy. I assumed that membership in the official Backup Operators group would do the job, but after doing some testing today, that may not be the case. Historically, I've used the code in this Stack Overflow answer to create shadow copies while running as an elevated administrator. When I tried it as an elevated backup operator, the first line didn't throw an error as it does for normal users, but the response object it returned was blank and indicated an access-denied condition. No shadow copy was created.

Evidently, even though membership in Backup Operators allows connection to the Volume Shadow Copy Service (or so it appears from the ACL in DCOM Configuration), only administrators can create shadow copies. That matches the response to this other Stack Overflow question.

No comments:

Post a Comment