Backup account : local admin?

[liuc]

Currently we use a domain admin account for backup job . I know that is bad so I need your help to find a better (safer) solution.
I'm not skilled enough to manage this by myself.

Our organization is large, but I manage only a local section with 50 users and some phisical and virtual domain member servers (no local domain controller).
All VMs are servers.
I must be able to backup phisical servers OSs, eniter guest VMs and also specific folders on some VMs.

I read some other post here, and I think one soultion could be to create a domain service account and add it to the local admins group on all the VMs. But if this account is compromised it would affect all VMs, right?

Should I create multiple local admin accounts ? one for each VMs?

Are there other strategies?

Thanks

[Mildur]

Hi Liuc

If an attacker has access to the Veeam Server, every account will be compromised. Doesn't matter if you use local accounts per server or a single domain admin account for the entire job. The important thing is to protect your Veeam server from unauthorized access.
But both options will work as long as you follow the permission requirements for guest processing in our user guide:
https://helpcenter.veeam.com/docs/backu ... processing

For physical machines, you can use the Veeam Agent without using any credentials. Please use the protection group type "Computers with pre-installed agents" for that scenario:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

In Veeam Backup & Replication V12, you will be able to use gMSA for guest application aware processing. With gMSA, you don't have to store credentials on the backup server. But for gMSA, you need to have access to a domain controller to configure it.

Thanks
Fabian