Backup to auto-mounted network-drive (domain-accounts) without getting user PW & without Warning-Message for opened files

My Case:
Here in my company everybody has an user-account. This account is used to login on a computer, via a domain. I have as a system-admin on every computer an admin account. If somebody is logging in on a computer, a network drive is automatically mounted.
The computers are on Windows 10.

The Aim:
I want an automatically backup of the user-data on the computer to this private network-drive of the user. This backup should be silent, if no errors are occurring. If a critical error is occurring, I should receive an E-Mail about this, so I can go to this user, and solve this problem. At the moment I am not sure, if I want a popup-error-message at the user or not. Both has pros and cons. But my tendency is that I would like to show the user the warnings and errors.
Additionally it should be possible for me to access the Backup software, to help the user, if problems are occurring.

The Problem:
Depending on the installation type (local or service) I have a problem for my wished approach.

A. Local Installation:

  • Good: The network drive of the user can be chosen directly, without giving duplicati the user’s password.
  • Problem: If a backup is made, and a file is opened (so it is locked), duplicati gives a popup-warning. This would annoy the user.

B. Service-Installation:

  • Good: The warnings for opened files are not there (thanks to snapshot-policy).
  • Problem: I could not write to the network drive, without using the users password in “plain text”*. So I could access the user’s password, which I don’t want (as this is a very important password for other services like E-Mail, …).
    *It is hidden for setting up the backup routine, but I could export the settings as plain text, and this would give me the possibility to access the user’s password in plain text.

The Dilemma:
For me, it does not seem possible to achieve my approach. With both options I always get half of what I want. And both “problems” I mentioned in A and B are crucial. Meaning as they are, they are a no go.

Possible Solutions:

  1. A + having a filter that excludes locked windows-files, to suppress the annoying popup-warnings. Problem: If a file is not closed regularly, there might be the possibility of lost data.
  2. A + supress somehow the warning-popup-messages for the user. Additionally, it is possible, that I get only an Error-Mail on real errors (not on warnings).
  3. A + suppress somehow the popup-messages for the user completely. Additionally, it is possible, that I get only an Error-Mail on real errors (not on warnings).
  4. B + make it somehow impossible to get on the users password in plain text.
  5. B + make it somehow possible to access the local-user-network-drive, without typing in the users password.

For me it was not possible to achieve one of my “solutions”. So I would be very happy, if somebody has an idea and could help me! This problem has been bothering me for weeks, and I have not been able to solve it.
Thank you very much in advance!

Done so far:
Just short. I tried the following installation methods. But without success.

Have you tried tying the Duplicati service to a domain account, one with admin rights to workstations (so you can use VSS) and write access to the backup destination path? Advantage is you could restrict normal users from accessing this destination, helping to protect the backup data from ransomware attack.

Hm. Maybe I don’t understand your idea. The domain accounts have no admin rights. I tried to install Duplicati as a service with the local user of the domain. But then the network-drive was not visible.

I do not have admin rights to make changes to the domain accounts or anything else related to them. This is from another department, and I have to live with what they provide me. The only admin accounts I have are local admins. And the network-drive is automatically on the windows machine, if a user login with his domain credentials.
So this is not working for my purpose.

If you can’t change that, then I suppose it’s a no-go. But it’d be easy for an AD administrator to configure Group Policy to add a specific Domain account as a local admin on workstations. Oh well.

Are the domain users that log in local admins on the workstation?

I can’t change anything about the domain accounts. In a department with around 35.000 users, the “higher levels” make the rules and the decisions, how the domain-accounts are handled.
I as sub-admin for 10 persons can achieve little pressure. For 10 people who want to make their backup with duplicati, no exception is made.
If there is no other possibility, I have to rethink my system…

Are domain users local admins? (The people logging in to these workstations.)

The domain users are no local Admins.
But there is on each PC a local Admin account, to make installing of software possible.

Ok, gotcha.

One option I can think of is to use a different back-end instead of UNC path. If you set up an SFTP or WebDAV server (for instance) you can control authentication with credentials that aren’t tied to the domain. Duplicati could run as a service under LocalSystem and write to such a back-end without exposing a users’ passwords.