Question : Can I use a universal account with Acronis TrueImage Echo Workstation/Server?

I have a small network in a branch office that I have set up Acronis TrueImage Workstation on each system to back up on a regular basis to a 2TB NAS.  I am getting stuck setting up the task when it asks for the user account in which the service will run.

The ideal situation would be for the user to enter their Active Directory username and password and the backup will be started under their username.  The problem with this is that we require each user to change their password every 90 days, and I would rather not depend on each user to open Acronis on their workstations and update their password.

The only solution that I could think of is create an AD Administrator account and set the service to run under that user, but this is a huge security risk.  How else can I have the service reliably run?

Answer : Can I use a universal account with Acronis TrueImage Echo Workstation/Server?

The best method with ANY Windows Service is to run it with Domain Administrator credentials, since this grants the service the appropriate permissions to access all data on the system and run the back up job with out any errors or unaccessible files (due to permissions). This also ensures the integrity of your backup.

Ideally you would create a completely separate account in Active Directory specifically for the purposes of this service. Give it a random password - keep a note of it in a secure password storage tool, but it doesn't matter that it's random characters since once everything is set you won't need to log in as this account. Grant the account Domain Admin privileges. You now have an account you can use to run your backups without them being halted by incorrect user credentials, permissions errors or whatever else might spring up.

The use of a Domain Admin account for this purpose won't be a major security risk provided you give it a random password which is complex enough to secure the account efficiently. In fact, for backup purposes, the only accounts you can use in almost all cases are Domain Admin (or at least Administrator) accounts for permissions purposes.