cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to configure the DPM Client to allow non-admin users to perform end-user recovery of DPM protected data
By
System-Center-Team
Published Feb 15 2019 06:24 AM 2,503 Views
System-Center-Team
Microsoft
‎Feb 15 2019 06:24 AM

How to configure the DPM Client to allow non-admin users to perform end-user recovery of DPM protected data

‎Feb 15 2019 06:24 AM
First published on TECHNET on May 10, 2011

Hi everyone, Marc Reynolds here and I wanted to take a minute and show you how to use a new feature that came with the March DPM hotfix rollup package that allows users that are not local administrators on a protected client to recover their protected data. Prior to this rollup hotfix, only a user that was explicitly a member of the local administrators group could recover protected data. This change is documented in Description of the hotfix rollup package for System Center Data Protection Manager 2010: March ... :

The administrator of a client computer must set the name of non-admin users who have to have permissions to perform end-user recovery of protected data of a client computer. To do this, the administrator must add the following registry key and value for each of these non-admin users. This is single key that contains a comma-separated list of client users. You do not have to add this key separately for each non-admin user.

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtectionREG_SZ: ClientOwners
Value: Names of non-admin users. This should be a comma-separated list of user names without any leading or trailing spaces, as in the following example: domain1\user1,domain1\user2,domain1\user3 (and so on)

Follow the steps below to configure DPM recovery permissions for users that are not members of the local administrators group:

1. Log into the DPM protected client computer with a user account that is a member of the local administrators group

2. Open the registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection

3. Right click on the “ClientProtection” key and select New String Value

a. Name the new value “ClientOwners”

b. You can add a single user using the domain\user format or you can add multiple users using a comma separated list (make sure not to use any leading or trailing spaces in the list) as shown below:

c. Click “OK” to save the new ClientOwners value and the registry should now show the new “ClientOwners” value along with the users you have configured:

4. Close Registry Editor and you have completed the configuration. If you need to give more users recovery permissions at later time you can simply add the user account name to the ClientOwners list.

Testing the configuration to make sure users that can recover their protected data:

1. Log on as a user that is not a member of the local administrators group and has been given permissions to recover DPM protected data in the steps above.

2. Open DPM client

3. From the Summary tab, click “Sync now”

4. You can either wait for a scheduled recovery point job to run or, if you are a DPM administrator you can log in to the DPM server and manually trigger a recovery point for the client. As you can see in the screenshot above recovery point jobs for my client will kick off at 8:00a, 12:00p and 6:00p.

5. On client still logged in as non admin user click the Recovery tab and then click the search icon

Note: If no recovery points have been created since the user was configured for client recovery permissions the user will get the error below:

6. Expand the computer by clicking the “+” on the left to see the available recovery points

7. Click “Open” and Explorer will open to the recovery point volume. Double click on the folder containing the files you would like to recover. In this case I select the c-vol folder:

8. Open the users folder:

9. The user can now see a list of user folders available and open their folder.

10. Select the folder belonging to the user attempting to recover DPM protected data:

11. Open the folder containing the file(s) needing to be recovered. In this case the file I want to recover is in the Desktop folder:

12. Now I can recover my file “newfile.txt”. I can chose to copy it to the desktop to replace the current file on the desktop, I can rename it and place it on the desktop or I can copy the file to another location and preserve both the file currently on the desktop and the recovered file.

Note: A user will not be able to recover any files except those in his/her own folder. If they try to open or recover files from another user they will receive an error like this:

Enjoy!

Marc Reynolds | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv

0 Likes
Like
Version history
Last update:
‎Mar 11 2019 08:45 AM
Updated by:
Labels