I'm using WBADMIN to backup multiple clients to a share published by some Synology NAS using SMB. That NAS is integrated in my Server 2019 AD as well as the backed up Windows clients are part of that same domain. My approach is to create one special backup user per client in the AD and configure access to the share for that user only. Afterwards I'm creating a custom task in the task scheduler of the Windows client to execute a PowerShell script wrapping execution of WBADMIN with a bit of log management, sending mails and minor stuff like that.
The important part is that the created task gets executed with the credentials of the specially created domain user for backing up this one client only. So in the end I have the users backup_host1_wib, backup_hos2_wib etc. in the AD. All of those users are part of the group backup operators on the domain controller already, because they need special permissions to be executed by the task scheduler, access to the files to backup at all etc. The problem is that even though those users are contained in that group on the domain controller, task scheduler at the clients refuses to execute the task because of a lack of permissions to run the task.
What I need to do instead ist make each backup user per host additionally a member of the client-local group backup operators as well. Afterwards the task is successfully executed, WBADMIN creates the image and everything works as expected. Though, because I added those users to backup operators on the domain controller already, I had expected that this group membership communicates to the individual clients as well and I wouldn't need to assign group membership on each client manually as well.
So, is the behaviour by design that this special group membership doesn't publish to individual clients or am I doing something wrong? Might the group membership on the AD have simply not YET published to my test client when I tested? Though I think I even restarted it and didn't change anything.
Do I really need to create a GPO instead to make each special backup user get it's expected permissions per corresponding client like described in the following article? Doesn't make too much sense to me, because the mentioned GPOs already contain the group backup operators and I adding to that group only seems easier to me.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 61%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
