Real-time performance monitoring and troubleshooting
Post Reply
reiso22
Influencer
Posts: 18
Liked: never
Joined: Feb 22, 2011 3:54 pm
Contact:

Permission question

Post by reiso22 »

Good day,
We are currently in the process moving Veeam One to another server. Therefore we are also checking service accounts permissions. Setup is as follows:

- Veeam One installed on a Hyper-V VM
- Veeam One connecting to a Hyper-V cluster using a domain account which is local administrator on the Hyper-V Hosts

From the deployment guide it reads, that the account used to monitor guest VMs, must have local administrator permissions on the guest OS. Is that really still required, since it might be a security issue to a add a domain account as local administrator on all guest VMs.

If that is still required, is it possible to use a gMSA account for that?

Thanks for any information.

Best regards
Michael
RomanK
Veeam Software
Posts: 785
Liked: 205 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Permission question

Post by RomanK »

Hello Michael,

To monitor Hyper-V virtual infrastructure in short:
Standalone Hyper-V hosts:
  • member of the Hyper-V Administrators and Performance Monitor Users groups.
  • remotely access WMI on Microsoft Hyper-V hosts.
Hyper-V clusters
  • local Administrator permissions on clusters.
SCVMM
  • user role that is based on the Read-Only Administrator profile
This is enough to collect all the information from the VI.

Connection to VM Guest OS section is required only if you would like to get the additional data from the inside OS. These data: In-Guest Processes and In-Guest Services.

Hope this helps.

About gMSA support it was discussed in this thread. Please take a look.

Thanks
reiso22
Influencer
Posts: 18
Liked: never
Joined: Feb 22, 2011 3:54 pm
Contact:

Re: Permission question

Post by reiso22 »

Hi Roman,
Thanks for your quick reply which was very helpful.

We have removed the local administrator permission on the guest OS and everything what we require seems to be working fine.

However if we check the "DataProvider_HyperV.log" in Veeam ONE Monitor Logs we can see following errors every hour for each guest VM:

ERROR Failed to create WMI invoker for <GUEST VM\root\cimv2> (user '<Domain Account'>) System.UnauthorizedAccessException: Access is denied.
ERROR Failed to get WMI data provider by DNS name (GUEST VM FQDN) System.UnauthorizedAccessException: Access is denied.

Is that expected and can these errors be ignored?

Best regards
Michael
RomanK
Veeam Software
Posts: 785
Liked: 205 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Permission question

Post by RomanK »

Hello Michael,

In most cases these errors means that something is wrong with WMI access. Maybe an incomplete data is collecting right now, so you see the topology and objects, but some properties could be missed.
I could try only to guess that something is wrong with remote access. Please open a support case and provide case ID in this thread so we could collect all the additional details and investigate it accordingly.

Thanks
reiso22
Influencer
Posts: 18
Liked: never
Joined: Feb 22, 2011 3:54 pm
Contact:

Re: Permission question

Post by reiso22 »

Hello Roman,

Furthermore we have noticed, that without a local administrator user in VMs it is not possible to get information about guest disk usage. Can you confirm that?

Best regards
Michael
RomanK
Veeam Software
Posts: 785
Liked: 205 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Permission question

Post by RomanK »

Hello Michael,

Generally speaking, everything you could see in the Hyper-V manager should be available through the API, perfmon on Hyper-V host and WMI for Veeam ONE to read.
As far as I remember there were two sets of counters, like virtual disk for the VM and the disk from the the inside OS. I do not have working lab at the moment to check, so it would take a time.

Thanks
Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests