Hi,

We have the following scenario. We use group policy preferences to lock down operator workstations. As part of this lockdown only the operator domain user accounts are members of the local users group. Authenticated Users, Domain Users and Interactive Users are not members of this group as we do not allow any other accounts to log onto these particular systems (they control some heavy duty utilities).

We want to backup the workstations using DPM 2010 but this fails unless authenticted users are a member of the local users group. However, if we add authenticated users then other accounts from the domain (and other trusted domains) can also logon to these systems (not allowed).

The error without authenticated users in the local users group is as follows:

ErrData Protection Manager Error ID: 270

The agent operation failed on oper1.domain.local because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.

If oper1.domain.local is a workgroup server, the password for the DPM user account could have been changed or may have expired.

So my question is therefore is it possible to run the DPM client service with a domain user service account and provide this service account with the equivilent permissions that the LOCAL SYSTEM account has?

Or is it possible to configure permissions specifically on the DPM client filesystem folders, registry entries and dcom config?
These aren't run of the mill office PCS.

Essentially I do not want to add authenticated users or domain users into the local users

Ok so I eventually worked this one out myself... If I added the computer account of the DPM server to the OPERATOR_%Computername% AD security group then DPM backup server is a member of the local users group and has enough permissions to carry out the backups without any errors :)