Backup Adaxes with Schedule Task

Question

I would like to backup Adaxes on a regular basis with a powershell script. I have a script that works well but I need to run it as a Scheduled Task.

During the backup the Adaxes service is restarted. I don't want to give the Adaxes service account administrator permissions to do this so I created a Group Policy that gave the service account permissions to restart the service.

The backup appears to work most way through but still fails with the following error:

[7/23/2020 5:24:29 PM] Error: Softerra.Adaxes.BackupRestore.BackupRestoreException: Failed to back up the service configuration file due to the following error: Access is denied. ---> Softerra.Adaxes.Adsi.DirectoryComException: Access is denied. 
   at Softerra.Adaxes.Utils.Impersonator.ImpersonationContext..ctor(NetworkCredential credential, LOGON32_LOGON logonType, LOGON32_PROVIDER logonProvider, Boolean loadProfile, Boolean suppressFlowIdentity)
   at Softerra.Adaxes.Utils.Impersonator.DefaultImpersonator.Impersonate(NetworkCredential credential, LOGON32_LOGON logonType, LOGON32_PROVIDER logonProvider, Boolean loadProfile, Boolean suppressFlowIdentity)
   at Softerra.Adaxes.BackupRestore.Processors.ServiceConfigFileProcessor.ReadServiceConfig(BackupRestoreContext context)
   at Softerra.Adaxes.BackupRestore.Processors.ServiceConfigFileProcessor.BackupServiceConfig(String filepath, BackupRestoreContext context)
   at Softerra.Adaxes.BackupRestore.Processors.ServiceConfigFileProcessor.Backup(BackupRestoreContext context)
   --- End of inner exception stack trace ---
   at Softerra.Adaxes.BackupRestore.Processors.ServiceConfigFileProcessor.Backup(BackupRestoreContext context)
   at Softerra.Adaxes.BackupRestore.BackupCommandBase.Backup(BackupRestoreContext context)
[7/23/2020 5:24:29 PM] Info: Starting system service 'Softerra Adaxes Service'.
[7/23/2020 5:24:29 PM] Info: System service 'Softerra Adaxes Service' started.

What additional permissions would I need to give the service account to perform a backup?

Comments

Hello,

Do we understand correctly that the backup script is executed in a Windows Scheduled Task? Could you, please, specify credentials of what account are specified in the security settings of the task? Is it the credentials of the Adaxes service account (specified during Adaxes installation)?

Also, could you, please, post here or send us (support[at]adaxes.com) the script you are using? Does the script use the credentials of the Adaxes service account?

---

Yes. I'm running it from a Windows scheduled task. I figure I can't do a backup routine inside the scripting environment as the service is restarted.

The script is as follows

function Get-MyCredentials{
    param(
        [string]$passwordfile = "$([Environment]::GetFolderPath("MyDocuments"))\samaccountpassword.txt",
        [string]$username = "$($env:USERDOMAIN)\$($env:USERNAME)"
    )
    if(-not $(Test-Path -Path $passwordfile)){(get-credential).password | ConvertFrom-SecureString | set-content $passwordfile}
    $password = Get-Content $passwordfile | ConvertTo-SecureString 
    $credential = New-Object System.Management.Automation.PsCredential("$username",$password)

    Write-Host -ForegroundColor Yellow "Returned credentials"

    return $credential
}


$mycreds = Get-MyCredentials -passwordfile "$([Environment]::GetFolderPath("MyDocuments"))\adaxesaccountpassword.txt"

$date = Get-Date -Format ddMMyy
CD "C:\Program Files\Softerra\Adaxes 3\Service"

.\Softerra.Adaxes.BackupRestore.exe /b "C:\Scripts\adaxesbackup\$($date)Adaxes.bak" -l "C:\Scripts\adaxesbackup\$($date)AdaxesBackup.log" -u $($mycreds.UserName) $($mycreds.GetNetworkCredential().password)

---

The script does work without issue if the service account is an Admin.

I have added the service account to the Backup Operators group. It doesn't seem to have helped.

---

Hello,

What about the account that is specified in the security settings of the Scheduled Task itself? Did you try specifying the credentials of the Adaxes service account in the settings?

Also, please, make sure that the Adaxes service account is granted the Interactive logon permissions on the computer where Adaxes service is installed.

---

Yes. I'm using the service account to run the scheduled task. It seems to have something to do with network creds according to the error.

The account has the run as batch rights. Run as service rights. Member of the backup operators groups so it can traverse files and login interactively. The account has permissions to write to the directory.

I've been messing with the local security policy to see if I can find what its looking for.

Answer 1

I think that the problem is most likely that you need to specify the credentials of the service account itself in the settings and see how it will be in the future.