The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtectionREG_SZ: ClientOwners
Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)
Follow the steps below to configure DPM recovery permissions for users that are not members of the local administrators group:
1. Log into the DPM protected client computer with a user account that is a member of the local administrators group
2. Open the registry editor and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection
3. Right click on the “ClientProtection” key and select New String Value
a. Name the new value “ClientOwners”
b. You can add a single user using the
format or you can add multiple users using a comma separated list (make sure not to use any leading or trailing spaces in the list) as shown below:
c. Click “OK” to save the new ClientOwners value and the registry should now show the new “ClientOwners” value along with the users you have configured:
4. Close Registry Editor and you have completed the configuration. If you need to give more users recovery permissions at later time you can simply add the user account name to the ClientOwners list.
Testing the configuration to make sure users that can recover their protected data:
1. Log on as a user that is not a member of the local administrators group and has been given permissions to recover DPM protected data in the steps above.
2. Open DPM client
3. From the Summary tab, click “Sync now”
4. You can either wait for a scheduled recovery point job to run or, if you are a DPM administrator you can log in to the DPM server and manually trigger a recovery point for the client. As you can see in the screenshot above recovery point jobs for my client will kick off at 8:00a, 12:00p and 6:00p.
5. On client still logged in as non admin user click the Recovery tab and then click the search icon
Note: If no recovery points have been created since the user was configured for client recovery permissions the user will get the error below:
6. Expand the computer by clicking the “+” on the left to see the available recovery points
7. Click “Open” and Explorer will open to the recovery point volume. Double click on the folder containing the files you would like to recover. In this case I select the c-vol folder:
8. Open the users folder:
9. The user can now see a list of user folders available and open their folder.
10. Select the folder belonging to the user attempting to recover DPM protected data:
11. Open the folder containing the file(s) needing to be recovered. In this case the file I want to recover is in the Desktop folder:
12. Now I can recover my file “newfile.txt”. I can chose to copy it to the desktop to replace the current file on the desktop, I can rename it and place it on the desktop or I can copy the file to another location and preserve both the file currently on the desktop and the recovered file.
Note: A user will not be able to recover any files except those in his/her own folder. If they try to open or recover files from another user they will receive an error like this:
Marc Reynolds | Senior Support Escalation Engineer