Access Denied. No Sufficient Permissions (code 2408)

Situation

A backup plan terminates with the following error: Access Denied. No Sufficient Permissions

The following records are found in the Event log: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = %1. This is often caused by incorrect security settings in either the writer or requestor process. %2

Cause

Error code 8194 is an "Access is Denied" error caused by the inability of one or more VSS system writers to communicate using the "COM" calls exposed in the IVssWriterCallback interface (Microsoft programming interface to the Volume Shadow Service).

Solution

There are two ways to solve the issue:

Note that reboot may be required

  • The first (preferred) way to work around the issue is to adjust the default COM service activation permissions - allowing Network Service (and possibly Local Service) user account(s) to activate the IVssWriter callback interface. This method has the benefit of permanently fixing the issue in one place and allowing the VSS Writer service(s) to run at the privilege level that Microsoft intended. Any COM object accessed (by a process running as Network Service) still can enforce security restrictions.

Make this fix by doing the following:

  1. Click Start, then select Run.
  2. Type dcomcnfg. This command starts the Component Services application.
  3. On the left pane navigate to Component Services->Computer ->MyComputer.
  4. Right-click on MyComputer and select properties.
  5. Switch to the COM Security tab, then select the Edit Default button under Access Permissions.
  6. Click Add... to add the "Network Service" account to the permission list.
  7. Make sure that ONLY the Local Access box is checked, then click OK.
  8. Close Component Services.
  9. Reboot the computer.
  10. Run the backup plan again.
  • The second way is to locate the VSS writers (Start | Run | services.msc) that are erring out and change the account they are running under from Network Service to Local System. Then, restart the service process (or reboot the computer) and the VSS Writer will run with max privileges - thereby eliminating the IVssWriter callback errors.

The possible security issue with this method is that the service will be running with a higher level of access than Microsoft intended. Should the VSS Writer process be "hacked", this could be a security weakness. But, if you're not overly concerned about that, repeat this process for each VSS Writer that generates an 8194 error and you should not experience any more error events in normal operation.

Also, follow these best-practice recommendations from Microsoft

https://git.cloudberrylab.com/egor.m/doc-help-kb.git