Permissions for SQL Server backup and recovery

Permissions required for a single-pass backup

To successfully perform a single-pass backup of a machine that is running Microsoft SQL Server, the account under which the backup plan runs must be a member of the Backup Operators or Administrators group on the machine.

Also, this account must be granted the sysadmin role on each of the instances installed on the machine.

If you create a backup plan while you are logged on as a regular user, such as a member of the Users group, you need to specify the credentials for the account that has the above privileges. To access this setting, click Plan's credentials on the Create backup plan page.

A backup plan created by a member of the Administrators group runs under the agent service account by default. The same applies to a centralized backup plan deployed from the management server. That's why it is advisable to assign the agent the permissions required for single-pass backup.

Granting the permissions to the agent

During installation, the setup program includes the agent service account in the Backup Operators group. If you choose to create a new account for the agent, this account is also included in the Administrators group. Therefore, the agent always has the required privileges in Windows.

To grant the agent the sysadmin role in SQL Server, you are asked to specify the sysadmin credentials for each Microsoft SQL instance installed on the machine. If you do not specify the credentials during installation, you can grant the agent the sysadmin role later in any of the following ways:

You must also grant explicitly the agent the sysadmin role after a new Microsoft SQL Server instance is installed on the machine.

To grant the agent service account the sysadmin role on an instance by means of a T-SQL script

  1. Create a text file with the following contents:

    Create Login [<machine name>\Acronis Agent User] From Windows
    Exec master..sp_addsrvrolemember @loginame = '<machine name>\Acronis Agent User',@rolename = 'sysadmin'

    Acronis Agent User is the account created for the agent by default. If you specified an existing account during the agent installation, replace Acronis Agent User with the user name of the existing account.

    The file can have any extension.

  2. At the command prompt, run the following command:

    sqlcmd -S <machine name>\<instance name> -i <full path to T-SQL script file>

If you do not want to grant the sysadmin role to the agent, you must specify credentials in every backup plan as described at the beginning of this section.

Permissions required for recovering a Microsoft SQL Server database

When recovering a database to an instance, you need to specify credentials for this instance. The prompt for the credentials appears after you select the destination instance on the Recover data page.