SharePoint protection failed

DPM can be used to protected Microsoft Office SharePoint 2007 or Windows SharePoint Services 3.0. DPM used the SharePoint VSS writer for this Protection. More details in the post SharePoint Protection with DPM

To provide the DPMRA agent with the necessary permissions to protect SharePoint, you need to run the ConfigureSharepoint.exe tool. This utility configures the WSS Writer service and any associated services with the correct credentials required to access the farm for backup and recovery purposes.

This works like a charm in most environments. However in some highly secured domains you can run in to issues. When a Group Policy overwrites the required permissions, the protection will fail.

In this case you will see errors like below.

Error on the DPM Server:
------------------------------------------------------------------------------------
Recovery point creation jobs for Shared Services Provider SSP_Database_server_name\Instance\database_name on SharePoint front-end_server_name  have been failing. The number of failed recovery point creation jobs = 4.
If the datasource protected is SharePoint, then click on the Error Details to view the list of databases for which recovery point creation failed.  (ID 3114)

An unexpected error occurred during job execution. (ID 104 Details: The server process could not be started because the configured identity is incorrect. Check the username and password (0x8000401A))
------------------------------------------------------------------------------------

Error in the application log of the WFE (SharePoint Front-end):

Event Type:    Error
Event Source:    DCOM
Event Category:    None
Event ID:    10004
Date:        29-10-2009
Time:        10:05:04
User:        N/A
Computer:    <WFE server>
Description: DCOM got error "Logon failure: the user has not been granted the requested logon type at this computer. " and was unable to logon <domain>\<configuration account> in order to run the server:
{E95EF0B1-D0E3-45D9-B699-8B37F068CF25}
------------------------------------------------------------------------------------

This can be related to Log on as a batch job permission that should be assigned to the account you specified when running the ConfigureSharePoint.exe command.

This right is set by the ConfigureSharepoint.exe –EnableSharePointProtection command. Make sure this right is not overwiten by your security (Group) policies.