You need to ensure that User1 can use Windows Server Backup to back up Server1

Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2.
You create a user account named User1 in the domain.
You need to ensure that User1 can use Windows Server Backup to back up Server1. The
solution must minimize the number of administrative rights assigned to User1.
What should you do?

Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2.
You create a user account named User1 in the domain.
You need to ensure that User1 can use Windows Server Backup to back up Server1. The
solution must minimize the number of administrative rights assigned to User1.
What should you do?

A.
Add User1 to the Backup Operators group.

B.
Add User1 to the Power Users group.

C.
Assign User1 the Backup files and directories user right and the Restore files and
directories user right.

D.
Assign User1 the Backup files and directories user right.

Explanation:
http://technet.microsoft.com/en-us/library/cc787956(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc771990.aspx
Backup Operators have these permissions by default:

However the question explicitly says we need to minimize administrative rights. Since the
requirement is for backing up the data only–no requirement to restore or shutdown–then
assigning the “Back up files and directories user right” would be the correct answer.

Show Hint

Leave a Reply 26

Your email address will not be published. Required fields are marked *

dbKarlo

dbKarlo

Did you try to backup server with rights assigned in answer D? With this rights, user cannot use Windows Server Backup to backup server. It says that “The Windows Server Backup engine is not accessible… Make sure that you are member of Administrators or Backup Operators group…” When the user is member of Backup Operators group, he can make server backup with Windows Server Backup. So, I think that answer A is correct.

Reply

James L

James L

I gave a user the logon locally rights to a DC and also assigned the rights specified here. I then logged on with the account and tried to run Windows Server Backup but got the message dbKarlo mentions. I left the user with the assigned rights but also added them to Backup Operators Group to see if they were limited by the user rights assignment but I was able to shut down the server. If this is the most restrictive group that allows backup rights for a user then I guess A would be correct

Anyone have any other ideas?

Reply

James L

James L

I also tried on a server that was not a DC just to satisfy my curiosity (As a File Server would be unlikely to have AD DS configured on it) but the same issue.

Reply

Wheeler

Wheeler

Configuring a backup via Windows Backup and running an existing backup previously configured via Windows Backup are two different things; the exam is likely expecting Windows Backup to be set to run as the user.

Reply

Pirulo

Pirulo

I think I read in the exam ref book that you don’t need to be a member of the backup operators group. I will check this….

Reply

Pirulo

Pirulo

Page 160 of Exam Ref by J.C.Mackin and Orin Thomas.
Does not explicitly say that only with the “individual” rights you will be able to use the Windows backup tool, but insinuates that you will be able to backup the files….
I too made the test mentioned by Dbkarlo and James L, with exactly the same results,so I think that answer should be definitely A

Reply

Kass

Kass

Best practices

1. Restrict the Back up files and directories user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.

https://technet.microsoft.com/en-us/library/dn221961(v=ws.10).aspx

Answer is C.

Reply

Joe

Joe

I have tried C and D and neither of these allow a user to use windows server backup. It seems that it can only be A

Reply

Joe

Joe

I think the part “The
solution must minimize the number of administrative rights assigned to User1” is to try and trick you into choosing C or D

Reply

Joe

Joe

100% A after testing again…
Assign User1 the Backup files and directories user right – shows as not installed when the user opens windows server backup
Assign User1 the Backup files and directories user right and the Restore files and
directories user right – shows as not installed when the user opens windows server backup
Add the user to the local backup operators group – shows as installed when the user opens windows server backup

Windows server backup says users must be a member of administrators or backup operators or be delegated permissions. So how do we delegate them with the permissions if adding to these groups does not work?

Reply

PK

PK

It’s my understanding that to use windows server backup (2008(R2) and 2012(R2)) you must be an administrator or backup operator.
So A.
Before 2008 you used NTbackup. This tool could be used by a user assigned with the backup files and dirctory right.

Reply

mslover

mslover

Thanks PK, this makes a lot of sense as solutions that would work in previous versions of Windows are often the red-herring.

Reply

Jakx

Jakx

Since 2012 R2 you can choose to delegated the appropriate rights for doing the back up. I saw this in CBT Nuggets and I have red this somewhere… I can’t find the article atm.

Reply

KungFury

KungFury

Absolutely 100% A

Reply

kingces

kingces

Absolutely 100% D:

Only members of the local Administrators group and the local Backup Operators group have
the right to perform backups of files and directories on a given machine. Backup Operators
are also granted the rights to restore files and directories and the right to shut down the
system.
All three of these rights (backing up, restoring, and shutting down the system) are rights
that can be assigned separately through User Rights Assignment in Local Computer Policy
or Group Policy. If, for example, you want to grant a user the right to back up files and
directories but not the right to restore files and directories, you need to assign the user that specific user right through Local Computer Policy or Group Policy. Don’t add the user to the Backup Operators group because you will be granting that user unwanted privileges.

EXAM TIP

For the 70-412 exam, remember that Backup Operators have more rights than just backing
up a system. They can back up, restore, shutdown the system, log on locally, and access the
computer from the network. If you want to assign a user just a few of those privileges, you
should assign that user those rights through Local Computer policy or Group policy instead
of adding her to the Backup Operators group.

Reply

Zakir

Zakir

Correct answer is D. Question explicitly says, “minimize administrative rights to user1”. If we assign “Backup operators group”, user1 can not only do the backup, but also user1 can restore and shutdown the system. Keyword is minimize admin right – therefore, choosing D is the ONLY option and the correct answer.

Reply

sahing

sahing

Agree with people who says trick is “minimize the number of administrative rights”.

But there is truth, event you give user backup file and directories user right, User1 still can’t use “Windows Server Backup”

While question says “You need to ensure that User1 can use Windows Server Backup to back up Server1 answer can only be “A”. There is no way to use Server Backup tool without this permission.

Reply

luciano

luciano

crap… I hate to arrive in the comment section and find out several comments one against the others… these are usually the questions that happen to appear in my exams…

Since there’s no majority this time, I’ll stick with the premium… Letter D. hope to be right.

Reply