Grant user permissions


Updated: February 9, 2017

Applies To: System Center 2012 SP1 - Data Protection Manager, System Center 2012 - Data Protection Manager, System Center 2012 R2 Data Protection Manager

Before you begin a DPM deployment, verify that appropriate users have been granted required privileges for performing the various tasks. The following table shows the user privileges that are required to perform the major tasks associated with DPM.

User Privileges Required to Perform DPM Tasks

TaskRequired Privileges
Adding a DPM server to an Active Directory domainDomain administrator account, or user right to add a workstation to a domain
Installing DPMAdministrator account on the DPM server
Installing the DPM protection agent on a computerDomain account that is a member of the local administrators group on the computer
Opening DPM Administrator ConsoleDomain account that has administrator privileges on the DPM server
Extending the Active Directory Domain Services schema to enable end-user recoverySchema administrator privileges in the domain
Creating an Active Directory Domain Services container to enable end-user recoveryDomain administrator privileges in the domain
Granting a DPM server permissions to change the contents of the containerDomain administrator privileges in the domain
Enabling end-user recovery feature on a DPM serverAdministrator account on the DPM server
Installing recovery point client software on a client computerAdministrator account on the client computer
Accessing previous versions of protected data from a client computerUser account with access to the protected share
Recovering Windows SharePoint Services dataWindows SharePoint Services farm administrator account that is also an administrator account on the front-end Web server that the protection agent is installed on
Protect SQL ServerAdd the system account NT Authority\SYSTEM to the sysadmin group on the SQL Server you want to protect. In SQL Server Management Studio > Security > Logins.Double-click NT AUTHORITY\SYSTEM > Server Roles, check the sysadmin role > OK.
System_CAPS_ICON_caution.jpg Caution

If you are using one SQL Server to host multiple DPM databases, the administrators of each of the DPM servers has access to the databases of the other DPM servers.

Plan for DPM security