File Restore or Lack of

[kratos31]

I have been having an issue with File Level Restores, after raising a support ticket I thought I would post my results

Windows File Level Restore cannot restore files unless the account Veeam is running as has NTFS rights over the file
Linux File Level Restore can restore files without NTFS rights, but does not maintain NTFS rights on the file when it is restored.

Being told to restore the whole VMDK and mount it to another machine is not much of a solution - coupled with the fact it probably wouldnt work.

This is quite a sour note as so far I had been impressed with Veeam in terms of its Backup, the restores at this point are the exact opposite.

[Gostev]

I would suggest keep working with support on this to investigate further, because one of the new v5 features is local privilege elevation for Windows FLR process (this is even documented in the What's New). This functionality allows to restore files Veeam account does not have access to.

As for Linux FLR, this is expected. Multi-OS FLR was never designed to provide complete Windows FLR capabilities (since we have a dedicated wizard for this). It is rather focused on other OSes (for example, it does preserve Linux file permissions).

Please continue working with support to troubleshoot why privilege elevation does not work with Windows FLR.

Thanks.

[tsightler]

The most likely reason being that the account being used for the restore operation is not a local admin on the machine.

[kratos31]

I will mention the privelage escalation to the support tech as this has not been mentioned yet.
The account is a domain admin and as admin rights on all servers.

[kratos31]

Well Support have been hacking round with this problem for around a month and dont seem to be getting very far.

Has no one else run into the problem of restoring a file they dont have NTFS permissions over?

At the moment robocopy is doing a better job than Veeam

[ShadFX]

Have you tried taking ownership of the folder and then restoring it? I think I had a similar issue once and solved it by taking ownership of the folder then changing the security permissions - all within the FLR

[Gostev]

And no, these changes will not be applied into backup, backup remains read-only no matter what you do. I guessed this is going to be the next question

[kratos31]

if i take ownership and add in NTFS rights for the user it works, but not really in the spirit of things is it????
Particularly if you have a large restore to do, and then you have to undo all the changes on the restored files. Restoring files is 50% of what a Backup product has to do, and I am amazed that Veeam is so clunky when it comes to this.

[Gostev]

Well, I hope our support can figure out why it is so clunky for you, because as I've said, with privilege elevation feature added in v5 it should work out of the box in any scenario. Of course, there is always a chance of bug or environment-specific issue that affects the designed behavior.

[kratos31]

Can someone else try this and let me know the results - it would be interesting to see if others are affected.
Create a file that the Veeam Backup account does not have NTFS permissions over. Run a backup then try and do a windows file level restore on that file.

I get access denied messages.

Currently working with support, although they have been unable to recreate the issue...

Thanks

[tsightler]

Well, it works fine for me, but you didn't provide much detail on exactly how you are attempting to make this work. Specifically, is the Veeam account a local administrator on the machine? What about the account you are logging in as to preform the restore? Are you attempting to restore the file directly to the backed up VM, or only to the local Veeam server? If you provide the exact information I'll try to reproduce the exact scenario.

[kratos31]

The Veeam account used for the restore is a local admin (also a domain admin) - this is the same account Veeam uses to backup the VM's
The account does not have NTFS permissions over the file that I am trying to restore.
I am trying to restore to the local Veeam server.
Looking at process explorer the Veeam Shell does not get SeRestorePrivelage which i think it should have - it does get SeBackup

[Gostev]

SeRestorePrivelage

No such thing. SeBackupPrivelege is the privilege that should get added. This is Backup Operator's privilege which allows the account to read files it does not have NTFS access permissions to. Designed specifically to be used by backup applications.

[kratos31]

SeBackupPrivilage does get enabled.

SeRestorePrivilage is visible in Process Explorer,

[Gostev]

SeRestorePrivilege is required to conduct actual restore (write a file to a location which the account does not have access to). But you said you are restoring to local Veeam server, so this privilege is irrelevant, because your account has full right there.

In your case what fails is reading the file that the account does not have access to (and this is exactly what SeBackupPrivelege covers).