Setting up Duplicati as a windows service is a little complex and error prone.
This post in google groups:
suggests the following simpler alternative:
I can’t help you with “run as service”. However, I autostart Duplicati 2.0.x in Windows 10 (and previously in Windows 7):
using the Windows Task Scheduler. I created a new task with the following properties:
(1) Run at Logon
(2) Run with the highest privileges checkbox selected
(3) Action: Start a program (and I configured it to the path to Duplicati.GUI.TrayIcon)
At the system boot and when I login to Windows, Duplicati starts and it is minimized in the system tray.
The standard Duplicati windows install sets up Duplicati to automatically start without Admin privilege.
The reason you would want to run Duplicati as described above is to start it with Admin privilege so that you can take advantage of Windows Snapshots. Windows Snapshots give you the ability to backup in-use files. Alternately you can run Duplicati as a windows service to give it Admin privilege, but that requires a lot more configuration changes than this method.
As I know D2 can do it automatically without Task Scheduler.
While you are correct Duplicati 2 doesn’t need the task scheduler to start at logon, I believe what @jht is suggesting allows for it to be “as admin” (so to speak) rather than as the logged on user.
If that’s correct, then the Task Scheduler method would allow for VSS snapshots without needing to be run as a service.
If you use a Windows account that has admin privilege, you don’t even need to use the task scheduler. You can just do this:
- Create a shortcut to Duplicati.GUI.TrayIcon.exe
- Right click the shortcut, and select Properties
- Select the Compatibility tab in the Properties dialog
- Enable the option to “Run this program as an administrator”
- If desired, put this shortcut into your Startup folder to run Duplicati automatically at login
So this means that D2 will not run when user is not logged in?
I will have to always setup the D2 to run via the startup?
Maybe that is why I do not see the backup done until I log in to check?
Correct. A shortcut in the startup folder will not run until login.
If you want Duplicati to run when you are not logged in, then you will probably need to set it up as a Windows service.
Yes, I finally read the manual and found (obscure) places to set it up.
Now it is ok.
I wish there would have been an install option for the windows service.
I think that’s been discussed but hasn’t been implemented yet. Hopefully adding your voice will help it to move up on the task list.
I found this video to be outstanding:
Glad to hear you found the video useful - well done @kees-z!
I was using Windows 7 when I wrote that. I have since switched to Windows 10, and it doesn’t seem to work on Windows 10. The task scheduler method still works nicely.
Just to clarify, you don’t need a service, the task scheduler or admin level access in order to use VSS!
All you need is to be a member of the Backup Operators group.
All these built-in groups that come with Windows - they exist for a reason.
Do you happen to know if that’s the she group in Windows 7 & Windows 10?
Also, what else does that go give access to? For example, does that group membership give read access to the whole system (including other user accounts)? Did it allow WRITE access in such folders?
I think it’s a good idea to share - I just want to make sure people are informed of “side effects”.
One disadvantage of a Startup shortcut with “Run this program as an administrator” is that at login time it will give you a UAC prompt every time (if you have UAC turned on at that level).
The Run as a service, and task manager methods don’t prompt UAC.
Also, note, if you “run as a service” you will hit the problem that after you’ve Installed Windows 10 Fall Creators Update - Now Everything is Missing In Duplicati. You can adapt these instructions to change the location of the duplicati datafolder to avoid that problem.
I have not used Windows 7 for over a year now, but I am pretty sure it has the same built-in group.
Yes and No. That group has a special privilege granted by default that you can grant to any other group or user using either local security policy or group policies from AD. The special privilege does give access to everything on the system and it also does grant you the permission to use VSS, however, that access is through a different API call. In other words, if you are a member of Back-up Operators and log-in and try to access resources that you typically don’t have access to, you will still be unable to access them. If you use a specially written software that calls the correct API and uses the so called “backup semantics” you will be able to bypass NTFS permission and read stuff that you normally can’t. By default, Windows only grants the access to the aforementioned group, the group is empty and use of the privilege is logged in the security log.
In any case the “side effects” are far less significant compared to the Administrators group, so you are better off with that no matter what.
Security Considerations for Requesters confirms that Administrators group and Backup Operators Group can do VSS, and either is safer (i.e. less privileged/dangerous) than SYSTEM, which of course does VSS.
Appendix B: Privileged Accounts and Groups in Active Directory looks like Administrators has more power.
Creating, Modifying, and Deleting a Change Journal is the wrinkle from recent –usn-policy which seems to not only need Administrators group, but actually elevate. For Tray Icon I check “Run as administrator” on a custom Duplicati shortcut for the Standard User account that I run in, and I have to answer a UAC prompt. For a task, OP mentions a highest privileges checkbox, so possibly Service setup has a similar checkbox.
Thanks for all the great info!