Setting up Duplicati as a windows service is a little complex and error prone.
This post in google groups: Google Groups
suggests the following simpler alternative:
I can’t help you with “run as service”. However, I autostart Duplicati 2.0.x in Windows 10 (and previously in Windows 7):
using the Windows Task Scheduler. I created a new task with the following properties:
(1) Run at Logon
(2) Run with the highest privileges checkbox selected
(3) Action: Start a program (and I configured it to the path to Duplicati.GUI.TrayIcon)
At the system boot and when I login to Windows, Duplicati starts and it is minimized in the system tray.
Update 2018-02-22:
The standard Duplicati windows install sets up Duplicati to automatically start without Admin privilege.
The reason you would want to run Duplicati as described above is to start it with Admin privilege so that you can take advantage of Windows Snapshots. Windows Snapshots give you the ability to backup in-use files. Alternately you can run Duplicati as a windows service to give it Admin privilege, but that requires a lot more configuration changes than this method.
While you are correct Duplicati 2 doesn’t need the task scheduler to start at logon, I believe what @jht is suggesting allows for it to be “as admin” (so to speak) rather than as the logged on user.
If that’s correct, then the Task Scheduler method would allow for VSS snapshots without needing to be run as a service.
So this means that D2 will not run when user is not logged in?
I will have to always setup the D2 to run via the startup?
Maybe that is why I do not see the backup done until I log in to check?
Yes, I finally read the manual and found (obscure) places to set it up.
Now it is ok.
I wish there would have been an install option for the windows service.
Cheers.
I was using Windows 7 when I wrote that. I have since switched to Windows 10, and it doesn’t seem to work on Windows 10. The task scheduler method still works nicely.
Just to clarify, you don’t need a service, the task scheduler or admin level access in order to use VSS!
All you need is to be a member of the Backup Operators group.
All these built-in groups that come with Windows - they exist for a reason.
Do you happen to know if that’s the she group in Windows 7 & Windows 10?
Also, what else does that go give access to? For example, does that group membership give read access to the whole system (including other user accounts)? Did it allow WRITE access in such folders?
I think it’s a good idea to share - I just want to make sure people are informed of “side effects”.
One disadvantage of a Startup shortcut with “Run this program as an administrator” is that at login time it will give you a UAC prompt every time (if you have UAC turned on at that level).
The Run as a service, and task manager methods don’t prompt UAC.
I have not used Windows 7 for over a year now, but I am pretty sure it has the same built-in group.
Yes and No. That group has a special privilege granted by default that you can grant to any other group or user using either local security policy or group policies from AD. The special privilege does give access to everything on the system and it also does grant you the permission to use VSS, however, that access is through a different API call. In other words, if you are a member of Back-up Operators and log-in and try to access resources that you typically don’t have access to, you will still be unable to access them. If you use a specially written software that calls the correct API and uses the so called “backup semantics” you will be able to bypass NTFS permission and read stuff that you normally can’t. By default, Windows only grants the access to the aforementioned group, the group is empty and use of the privilege is logged in the security log.
In any case the “side effects” are far less significant compared to the Administrators group, so you are better off with that no matter what.
Security Considerations for Requesters confirms that Administrators group and Backup Operators Group can do VSS, and either is safer (i.e. less privileged/dangerous) than SYSTEM, which of course does VSS.
Creating, Modifying, and Deleting a Change Journal is the wrinkle from recent –usn-policy which seems to not only need Administrators group, but actually elevate. For Tray Icon I check “Run as administrator” on a custom Duplicati shortcut for the Standard User account that I run in, and I have to answer a UAC prompt. For a task, OP mentions a highest privileges checkbox, so possibly Service setup has a similar checkbox.
