Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, October 14, 2019 12:17 PM
Hi,
I on a mission to create a scheduled task to backup a CA. I want the scheduled task to runas as a user with minimum permissions on the server. What are the minimum permissions required for this user to be able to execute "Backup-CARoleService -path <some_path> -DatabaseOnly"?
Best regards,
Jim
All replies (9)
Thursday, November 21, 2019 2:46 PM ✅Answered
No, no, no. You are checking if you are the member of Backup Operators group in AD/SAM. However, by default, this group is striped by UAC from client's kerberos token. To see what is included in token, run "whoami /all". At the bottom of output you will see privelege information. Does it include SeBackupPrivilege and SeRestorePrivilege. Example output for my backup operator (non-admin) in non-elevated shell:
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
and when I run PowerShell in elevated mode, I get this:
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ================================ ========
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
In this case I can use Backup-CARoleService cmdlet or "certutil -backupdb" command. Use Run As to run PS in elevated mode. when prompted enter current user's (backup operator) credentials.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Monday, October 14, 2019 3:15 PM
Either, member of Administrators or Backup Operators group. Although Backup Operators aren't granted with powerful permissions explictly, they have a huge power implicitly that allows them to bypass NTFS permissions for backup operations.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Tuesday, October 15, 2019 6:42 AM
Hi,
Agree with Vadims, the minimum privilege for backup CA database, user should be a member of Backup Operators group.
In addition, the user should be a CA admin if we need export CA private key information.
For reference:
/en-us/powershell/module/adcsadministration/Backup-CARoleService?view=win10-ps
Best Regards,
William
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, October 16, 2019 1:49 PM
Thank you for taking the time to reply! :)
Monday, October 21, 2019 10:05 AM
Hi,
I am pleased to know that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
William
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, November 8, 2019 2:54 PM
I'm sorry, it seems I was a bit fast on the reply button. In my tests, a user that is a member of the local group "Backup Operators" doesn't seem to be able to create a CA backup using "Backup-CARoleService -Path <path> -DatabaseOnly". I'm getting the following error:
Backup-CARoleService : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
- Backup-CARoleService -Path C:\CABackup\ -DatabaseOnly
-
+ CategoryInfo : InvalidOperation: (:) [Backup-CARoleService], UnauthorizedAccessExc
eption
+ FullyQualifiedErrorId : BackupDatabase,Microsoft.CertificateServices.Administration.Command
s.CA.BackupCACommand
The user has modify permissions on the directory <path>. Is there something else I'm missing?
Thanks!
Monday, November 18, 2019 9:21 AM
Did you run it in elevated shell? By default, Backup Operators group is stripped by UAC.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Wednesday, November 20, 2019 4:26 PM
Yes, I think I'm in an elevated shell:
Friday, November 22, 2019 11:56 AM
My goal with that image was to showcase the user was both in an elevated shell and a member of the "Backup Operators" group ("Administrator" in the upper left corner). :)
My efforts includes enabling this user to backup the CA database from a scheduled task (without the need for the user to be a member of the local administrators group), but I've not been very successful in that department yet.
However, I logged in as the user on the server and started a cmd with "Run As Administrator".
whoami /all shows "SeBackupPrivilege" and Backup-CARoleService cmdlet and "certutil -backupdb" works fine.
Thanks!