Comprehensive data protection for all workloads
Post Reply
nitramd
Veteran
Posts: 297
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

An AD "Veeam" Service Account - What Privilege?

Post by nitramd »

Suppose you create a Veeam service in Active Directory and provide this account with sufficient admin credentials for application-aware processing and guest file system indexing.

Would it be better to add this service account to the Local Administrators group on all of your servers or would it be better to add the Domain Admin group only to this service account?

-MD
haslund
VeeaMVP
Posts: 839
Liked: 149 times
Joined: Feb 16, 2012 7:35 am
Full Name: Rasmus Haslund
Location: Denmark
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by haslund »

I think that comes down to your local policies. Making an account domain admin could cause issues with audits, so setting a GPO to assign local admin rights on VM's only where needed might be better - but also mean much more management overhead.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
nitramd
Veteran
Posts: 297
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by nitramd »

Thank you for the reply.

So let me put pose another scenario using the Veeam service account as mentioned above.

Suppose that the Veeam service account has been breached.

Which admin group strategy, Local Admin or Domain Admin, would cause the least damage?
coolsport00
Veeam Legend
Posts: 79
Liked: 13 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by coolsport00 » 1 person likes this post

Anytime a domain account is breached, that is more critical than local.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
nitramd
Veteran
Posts: 297
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by nitramd »

Thanks for the input - great information and a good sanity check.
YoMarK
Enthusiast
Posts: 55
Liked: 8 times
Joined: Jul 13, 2009 12:50 pm
Full Name: Mark
Location: The Netherlands
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by YoMarK »

Something to keep in mind: a domain admin should have never been called "domain admin". The name *should* have been "domain controller admin".
So best practice is to never use a domain admin account for anything other then to logon on to domain controllers.
skrause
Veteran
Posts: 487
Liked: 105 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by skrause »

One of the security best practices (at least around here where the AD is used by multiple organizations and managed centrally) is to remove the Domain Admins from your server local administrators group and have a different AD group with the accounts you need to have admin access (super-user accounts, service accounts that need admin access, etc.) added to the local administrators group on your servers through a GPO.
Steve Krause
Veeam Certified Architect
iftikarsaeedi
Novice
Posts: 9
Liked: 1 time
Joined: Oct 27, 2015 9:57 am
Full Name: IWS
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by iftikarsaeedi » 1 person likes this post

Veeam admin account recommendation will be from security and auditing point of view to use local admin.
Scenario for different organization needs:

Small organization: Then we can use single domain user account and add to local admin on servers from were backup has to be done.

Medium and big organization: In medium and big organization where there is more security concern and many more administrators involved you should have multiple accounts created and added to local admin depending on application group, database group, and critical server group. If any one account is compromised also then it won’t affect all servers.
iftikarsaeedi
Novice
Posts: 9
Liked: 1 time
Joined: Oct 27, 2015 9:57 am
Full Name: IWS
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by iftikarsaeedi »

Please check this article from Microsoft about "Securing Critical and Service Accounts" this will explain in detail "Service Account Vulnerability Scenarios"
https://msdn.microsoft.com/en-us/library/cc875826.aspx
Hoegimator
Enthusiast
Posts: 46
Liked: 5 times
Joined: Aug 23, 2013 1:06 pm
Full Name: Joerg Renggli
Location: Switzerland
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by Hoegimator »

Hi Community

I have asked that question about 3 years ago in a support ticket and the answer I got is this:
Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.
I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.
Kraken
Influencer
Posts: 19
Liked: 2 times
Joined: Jul 30, 2012 8:23 am
Full Name: Jaroslav Haken
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by Kraken »

In AD environment, you can also use Restricted groups feature in Group Policy to add/remove Veeam account to local administrators group on machines you want to backup. It makes the whole process much easier and the "backup admin account" is locked within the specific group of machines.

It's a bit tricky though, because in case of Restricted groups you need "Force this group to be part of that group" which means to have security group only with the "Veeam admin" and the policy enforces membership of this group in local administrators. I tried also other approaches, but so far this one proved to be "not interfering, working and easy-to-maintain" one.
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: An AD "Veeam" Service Account - What Privilege?

Post by nmdange »

Hoegimator wrote:Hi Community

I have asked that question about 3 years ago in a support ticket and the answer I got is this:

Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.

I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.
This is incorrect. You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam. This removes the need for Veeam to have admin access to the VM. I use this method for all of my VMs except for SQL Server VMs where I want Veeam to truncate the SQL transaction logs. I also use an admin accounts to do guest file system indexing on our file server VMs, but most VMs don't need this. Using native quiescing does not prevent you from doing app-aware restores using the Veeam Explorer tool for AD/Exchange/SQL/Oracle either.
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Google [Bot], Kristina.Zalesakova, ludsantos, Semrush [Bot] and 154 guests