The situation is:
Windows 10 20H2 multi-user workstation with one administrator account and two standard user accounts. All three accounts need to have an individual account in Duplicati and need to use VSS to backup files in use and files and directories like Firefox and Thunderbird profile directories etc.
What I already tried:
(A) install Duplicati as a Windows service:
Works but offers only one Duplicati account for all three Windows users
(B) install Duplicati on a per user base (classical tray icon installation) with “Run as administrator” elevation of the Duplicati shortcut in the Startup Applications folder:
Works, but offers not enough elevation to use VSS which results in permission denied errors etc.
So I run out of ideas to make this work. Perhaps some has a proven recipe to get this done? If not am I touching the “system borders” of Duplicati?
This won’t work if your users are “standard user accounts” as mentioned in the first sentence. They have to be a member of the Administrators group in order for Duplicati to run elevated so it can utilize VSS snapshots.
No, I can’t think of a way you can do it. I think a compromise will have to be made: if VSS is more important, run a single instance of Duplicati as a service and don’t allow the users to manage its configuration. If user management is more important, then they won’t get VSS.
tl;dr Basically what @drwtsn32 said. Additional details:
is a Windows system border. To use VSS, you need to be in an elevated Administrator type account.
Unfortunately once you’re in the Administrators group this way, you also get very wide access to the
user files.because of how the ACLs are set up. Right click on something and look at its Security tab.
I suppose a fancy system might run as a powerful user but try to limit backups and restores per-user.
There would likely be holes to watch for, and Duplicati doesn’t do this. It uses Windows permissions.
Duplicati doesn’t really have accounts. It has a lock screen. You could, of course, run many Duplicati however as soon as you need VSS you need Administrators group, and really getting it requires UAC.
I’m not sure it really works. Last time I tried it didn’t give me a UAC prompt so wasn’t actually elevated.
You can turn on the Task Manager Details page Elevated column. Also look at process User name.
Permission denied sounds more like permissions than a locked file problem, which is what VSS fixes.
Although I don’t think it shows elevation, Duplicati About → System info shows UserName. Check that?
I use the shortcut change on a Desktop icon, and have to manually accept UAC on Duplicati’s startup.
This is a one-person computer, so I don’t have to worry about keeping files away from the other users.
EDIT:
I suppose a fancy multi-process backup might be able to use Administrators group account to do VSS snapshot creation, then use a different user account-of-your-choice for backing up from shadow copy,
or maybe there’s a way to do same idea by changing user on-the-fly. I don’t know if Windows can do it.
Nothing proven, just some awkward options to consider…
Does backup have to be user-configurable, or is user involvement primarily to restore their files?
I’m wondering if administrator account can make two backups, but limit users to their own files?
This would work best if backups happened at off-hours (overnight?) to avoid simultaneous uses.
Task Scheduler or a service might be needed unless this workstation does simultaneous logins.
The reason this might work is because a restore basically uses the destination files and job DB.
There’s not (I think) a need for much of a backup configuration if the only need is to do restores.
There’s an even uglier concept if you trust the users somewhat, and can edit folder permissions.
Instead of giving Administrators group broad access, e.g. to user profiles, use separate users…
Create a backup administrator account per user account that can only get into that user’s profile.
tl;dr
There is a workaround to use VSS for restricted users in Duplicati. It works like a charm in my test environment. You have to run a separate Duplicati instance for each user, listening on a unique TCP port number.
Using an administratieve account, do this for each restricted user:
Disable all current autostart options of Duplicati (uninstall Duplicati service, disable Tray icon autostart).
Create an empty folder in the user’s root profile folder (for example C:\Users\User1\Duplicati) to store the local Duplicati data for that user. Or use another location, like C:\ProgramData\DuplicatiData\User1.
Add all restricted Duplicati users to the local group “Backup Operators” using compmgmt.msc.
In Task Scheduler, add a new task for every restricted user that starts a Duplicati instance. Use the following settings:
Tab General:
User account: Account name of the restricted user
“Run whether user is loged on or not”: Selected
“Run with highest privileges”: Enabled
Tab Triggers:
Run at system startup
Tab Actions:
Program Script: C:\Program Files\Duplicati 2\Duplicati.Server.exe (change path if Duplicati is installed in another location).
Add Arguments: --webservice-port=8201 --server-datafolder=C:\Users\User1\Duplicati (user unique port number for every user and change path to the folder created for that user).
Logon to every Duplicati instance ( http://localhost:8201 and all other port numbers. Set a unique password for every user and set advanced option --snapshot-policy to On or Required.
Hi kees-z,
thanks a lot for that recipe!
I cooked it following your recipe and it worked regarding Duplicati
However, I observed at least two side effects in the standard user accounts:
Opening the Task Manager requires now elevation, a UAC prompt aks for the password of the standard user account
Software which works as a service under “Local System Account” requires now elevation, a UAC prompt asks for the password of the administrator account
Removing standard user accounts from the “Backup Operators” group eliminates these unwanted side effects immediately.
Do you have an idea how to mitigate these unwanted side effects of standard users belonging to the “Backup Operators” group?
Yes, I can reproduce this. These are annoying side effects. I can’t think of a simple solution. The only possible workaround that comes to mind is to create an extra account for each restricted user, add these extra accounts to the Backup Operators group, give NTFS permissions for the restricted user’s document libraries to the linked extra account and relocate the location of the document libraries to the location of the restricted user’s libraries.
This way you can use the extra account in the task scheduler to backup the restricted user’s document libraries. It’s cumbersome, I haven’t tested it, but it should work.
Can someone clarify when this occurs? Most services use “Local System”. Most come with Windows.
In my Task Manager Elevated column (that I enable), all but one of my SYSTEM services are elevated which suggests that elevation is normal, however I’m not getting UAC prompt on my simple installation.
Can anybody find logic behind why Windows does these two things? That might lead to an avoidance…
