Protecting Network Shares and Mapped Drives with Onguard Backup

Posted on

Both Onguard Remote Backup clients and servers use a Microsoft Windows “service” to do the actual work.  The Microsoft Windows user the service “runs as” must not only have read/write permissions (privileges) to all files/folders the executable will be accessing but it must be actually able to access them.

In general this sounds obvious but the majority of our technical support calls are related to misunderstandings about Microsoft “services”.  The purpose of this technical note is to summarize typical problems and give you solutions.  In addition, at the end of this note are screen captures indicating how to change the user the Onguard Remote Backup service runs as in all our Windows’ products.

Note: specific information on Microsoft Windows Error Codes can be found here.

When to use Local System for service and when to use an account

In many cases, running services as the Local System account, aka SYSTEM, is the way to go as no one can login to this account, by default this account has read/write permissions to everything on the local computer (unless one manually removes those permissions from files/folders), and this account does not have a password that expires so your services won’t require maintenance due to changing passwords.  HOWEVER, Microsoft has placed a significant security restriction on the Local System account, namely it can NOT access network shares and it can NOT access mapped drives.

Permissions and password expiration


a) someone has changed permissions on files or folders to limit access to certain computer accounts (perhaps even excluding the Local System account – which usually isn’t necessary since no one can login as this account) or

b) the service needs to access mapped drives or network shares

then one needs to have the Onguard Remote Backup service run as a user (where Microsoft requires that that service user also have a password – preferably one that doesn’t expire so the service does not stop running when the password expires or is changed).

If the service is running as the user you desire, and you are stilll getting permission denied errors, then first make sure the files/folders the service is trying to access have granted the appropriate read/write permissions to the user the service is running as.

This is straightforward to diagnose and most every Windows user should be able to do it (please see this article for more information).  If you have verified this is not the issue, then please read on…

Mapped drives not connected as service user

To avoid confusion, we suggest using actual path’s rather then mapped or network mapped drives, because if you change the user the service runs as, you might not have setup the same map for the drive or you may not have selected the option to “Reconnect at login”.  If you do use mapped drives then be sure they are mapped for the user the service runs as and that they are configured to “Reconnect at login”.  If the underlying network paths are password protected, then please read on…

Password protected network shares

One last point is important to keep in mind if the Onguard Remote Backup service needs to access password protected shares or mapped drives, and that is that the user the service runs as must have permanently cached the password for the path in Windows so that the service can access the password protected resource.  When a service runs, it is not logged in, so it can’t prompt you for the password for network resources!

All you need to do is login as the user the service runs as, and access the network resource, and when prompted for the password, enter it AND be sure to check the appropriate box to remember the password.  If the password for the share has changed, then you will need to re-login as the user the service runs as and repeat this step (or consult Google or Bing as there are other ways within Windows to change this).  Below is a screen capture showing how to save a network share password in Windows when you make the connection:

mapped _drive_password

Changing the user the Onguard Remote Backup service runs as

On the Onguard Remote Backup Server, the service is called “Onguard Remote BackupServer.EXE” and you can change the user this service runs as either in the Microsoft Windows Services Control Panel (Services.msc) or in the Onguard Remote Backup Server GUI as follows:


In our new Onguard Remote Backup backup client the service will be called “Onguard_scheduler.exe” and you can see and change the user this service runs as via the Microsoft Windows Services Control Panel (Services.msc) or on the Backup->Schedule tab in the client GUI:


In our original Onguard Remote Backup backup client you can see the user the service runs as on the Monitor tab:


and change it on the Local Settings tab (please note: do not user the Microsoft Windows Services Control Panel, Services.msc, to change the user the service runs as):


Previous Article

Next Article: Back Up Outlook