Access Denied to the NTDS VSS Writer

Applies to: Windows Server 2003Windows Server 2008Windows Server 2012 More

Symptoms


NTDS Writer will throw a very vague event in the event log when it fails due to lack of permissions:

EventSystem warning 4354 : "The COM+ Event System failed to fire the RequestWriterInfo method on subscription. The subscriber returned HRESULT 80070005"

Cause


This failure is due to the account being used to initiate the backup not having the appropriate level of permissions.  The documentation on MSDN indicates that the user needs to be a member of the Administrator Group, the Backup Operators Group of running as the Local System account.  On a Windows 2003 Server Domain Controller if you remove the Administrator account from the Domain Administrators group it is still a member of the BuiltIn\Administrators group, this group by default does not have the proper privileges to invoke the NTDS VSS Writer.

Resolution


Add the account being used to initiate backups to the Backup Operator Group.

More Information


Security Considerations for Requesters documentation on MSDN: Security Considerations for Requesters

Third party backup vendors may use the technique of extracting the system files from a volume snapshot.  If backup software uses this method, the backup will not include the NTDS.dit file in the system state even though it was in the original volume snapshot.