Remote Launch of Powershell - Cannot open log for source 'Veeam Backup'

[gveat]

When I try to launch a start-vbrjob command from a remote station, using credentials of a normal domain user I get the following message;

Get-VBRJob: Cannot open log for source 'Veeam Backup'. You may not have write access.

What permissions are needed for that account to launch the job?

[jhoughes]

Are you running this from a machine that has the console (and therefore PowerShell snap-in) installed locally, running through a PS session, or importing the snap-in from a PS remoting session back to your "remote station"?

Can you post the entire command that you are trying to run, along with the full error message from PowerShell?

There are a few locations where you could be running into a permissions issue, so the details of the "remote station" environment, along with the full error message would help to clarify.

[gveat]

The full error is posted above. I have a script located on my backup server to start the job;
StartBackup.ps1

Code: Select all

Add-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue
$JobName = "DB Backup"
$JobObject = Get-VBRJob | where {$_.Name -eq $JobName}
Start-VBRJob $JobObject

I am using a remote powershell session launched by a standard user, because I don't want them to have full permissions to the backup server.

Code: Select all

 Enter-PSSession –ComputerName server.domain.com

And the error code returned was in my original post.

[veremin]

Under which account does the script get executed on a target machine? Under a standard user? If so, then, the behaviour is expected, as to run PS commands you need to have an administrator account.

However, have you considered assigning backup operator role the said account, so that, user can connect to a backup server and run backup activity, but nothing else?

Thanks!

[jhoughes]

Thank you, your full explanation of how you were connecting helps to clarify that the issue is with not having the Administrator privileges required on the remote server you are connecting to.

If you install the Veeam console on another server or jump box, where you can grant the user account local administrator privileges, then the account must have the 'Veeam Backup Operator' role assigned with Veeam to start/stop existing jobs.

https://helpcenter.veeam.com/docs/backu ... tml?ver=95

[gveat]

So now if I run it I get the following;

Start-VBRJob : Cannot open log for source 'Veeam Backup'. You may not have write access.

[veremin]

Let me clarify the situation, as I think there must be sort of misunderstanding.

Only administrators can run VB&R-specific PS commands. So, you need to have administrator account to execute backup scripts.

However, if you want to restrict permissions on backup server for specific user, you can assign backup operator role to it and let it connect to backup server normally (via backup console) and execute only list of certain actions, including starting and stopping backup jobs.

Thanks!

[gveat]

Over all...what I am trying to achieve....

I want to have a backup job launch, after the DBA team has finished creating a .bak file.

[veremin]

You can try to write .bat script, using commandline provided at the summary page of given job, execute it remotely under required user and see whether you can bypass the said permission issue. Thanks!

[jhoughes]

Alternatively, you could script a FileSystemWatcher (System.IO.FileSystemWatcher object) to watch the desired path remotely, then start the job once your DBA team has created a new .bak file.

[CKJ]

Hi.

I am trying to execute a PowerShell script on a server in DMZ and I run into some a problem.

I start making a session to the server in DMZ:

Code: Select all

Enter-PSSession -ComputerName "10.xx.xx.xx" -Credential $cred
[10.xx.xx.xx]: PS C:\Users\___\Documents>

Here I execute the Veeam SnapIn

Code: Select all

[10.xx.xx.xx]: PS C:\Users\___\Documents> if ((Get-PSSnapin -Name VeeamPSSnapIn -ErrorAction SilentlyContinue) -eq $null) {
>> Add-PsSnapin -Name VeeamPSSnapIn
>> }

It accepts the command.

When I use the Get-VBRJob I get the following error:

Code: Select all

[10.xx.xx.xx]: PS C:\Users\___\Documents> Get-VBRJob
Cannot open log for source 'Veeam Backup'. You may not have write access.
    + CategoryInfo          : NotSpecified: (:) [], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException

Get-Process is not a problem:

Code: Select all

[10.xx.xx.xx]: PS C:\Users\___\Documents> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
...
    293      30    15944      34052              2196   0 Veeam.Backup.Agent.ConfigurationService
    888      80    89188     130144              3644   0 Veeam.Backup.BrokerService
    588      51    31324      59600              4176   0 Veeam.Backup.CatalogDataService

Does anyone know why I see the error using Get-VBRJob ?

Thanks in advance.

[Egor Yakovlev]

Hi Carsten,
check account privileges suggested above.
/Thanks!

[CKJ]

Hi Egor.

The account is local admin on the server and that accout has permissions locally to use Get-VBRJob.

Has it something to do with the server I execute the script from? It is in a Domain.

Thanks in advance.
BR
Carsten

[Egor Yakovlev]

Make sure to use Connect-VBRServer after adding VeeamPSSnapIn(I don't see it listed in your code). I have just tested same scenario in my labs with fresh domain user with no privileges aside local admin on VBR server and it just works.
/Thanks!

[CKJ]

Hi.

Thanks for your answer.

I was wrong earlier. The account I use is not The local administrator, but it is a user account which is a member of the administrators group.

When I use Connect-VBRServer I get the same error:
[10.xx.xx.xx]: PS C:\Users\___\Documents> Connect-VBRServer
Cannot open log for source 'Veeam Backup'. You may not have write access.
+ CategoryInfo : NotSpecified: (:) [], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException

With local administrator it works:
[10.xx.xx.xx]: PS C:\Users\Administrator\Documents> Connect-VBRServer
[10.xx.xx.xx]: PS C:\Users\Administrator\Documents> Get-VBRJob

LogNameMainPart : Critical Production
FreeBackupImpl :
IsFree : False
UserCryptoKey :
...
...

===

I am not interested in using the local administrator, but the created account. Which permissions does it lack?

Thanks in advance.

[Egor Yakovlev]

Should work just fine with domain account listed under Administrators local group on VBR Server.
Check if VBR Server Roles are set for [Administrators]: "Veeam backup Administrator". You can also add your account explicitly there.
/Thanks!

[CKJ]

Hi.

I have been looking further into my problem which is still there.

When I make a PowerShell session to the Veeam Server with an account that is in the administrator group, the session is not Elevated.

Code: Select all

PS > Enter-PSSession -ComputerName "xx.xx.xx.xx" -Credential $cred

[xx.xx.xx.xx]: PS > $Principal = New-Object System.Security.Principal.WindowsPrincipal($WindowsIdentity)
[xx.xx.xx.xx]: PS > $AdminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
[xx.xx.xx.xx]: PS > if (!$Principal.IsInRole($AdminRole))
{
Write-Host -ForegroundColor Red "This application/script must be run in an elevated PowerShell window. Please launchan elevated session and try again."
}
This application/script must be run in an elevated PowerShell window. Please launch an elevated session and try again.
---

Does anyone know how to Elevate the Remote Session?

Note: It works with the Local Administrator.

Thanks in advance.

BR
/CKJ

[oleg.feoktistov]

If a remote account you enter PS session under has local admins group membership on a target machine, it should be automatically obtaining those admin privileges. So, please, check if:
1. The account is local admins group member on the target machine.
2. Proper role is assigned in VBR to BUILTIN\Administrators or the account explicitly.

Thanks!

[stephanebatos]

Hello,

I have the same issue and couldn't read clearly if the user needs to be in the local Administrators group of the Veeam B&R Server or if the user needs the Role Veeam Backup Administrator in the Veeam B&R Application?
I can't manage to make this work if the user is not in the local Administrators group.

In order to have the least privilege, I was hoping to make it work only with Remote Powershell and the Role Veeam Backup Administrator, but this won't work, right?

Thanks for your help.

[oleg.feoktistov]

Hi,

Technically, Powershell module is a part of VBR console, not VBR server. So, both local Administrators group and Veeam Backup Administrator role memberships are needed on the machine, where VBR console of the version prior to v11 is installed. With v11 GA having a user in local Users group along with Veeam Backup Administrator role assigned in VBR console should be enough.

See this thread and this article on required permissions for VBR v11.

Thanks,
Oleg

[rennerstefan]

Hi all,

as I just came out of a troubleshooting sesstion with a partner on that exact issue I wanted to share how it was solved.

A little summary of what we did and what issues usually cause that message:

1) Event Log permissions:
The error is related to a permission issue, the user trying to execute is missing the permission to write into new event Sources.
By default, any authenticated user can write to the application event log. However, only administrators can create new event Sources.
I guess that only AD-authenticated users have permission to fully work with EventLog as it works with the AD account provided.
But as soon as local users execute remotely they are seen as guests in that regard and don't have the required right to work with event logs.
That usually is a sign that there is some kind of group policy in place that prevents the needed execution with local users executing remotely.

2) User Permissions in Registry:
In addition, we found that there are plenty of error messages in the Veeam event log telling that someone who is not authenticated tries to access the Veeam Registry values.
Error: “Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication' is denied.”
What we changed is that all "Authenticated Users" are allowed to access the Registry Path and after the change it worked well.
This solved the issue for the customer.




Hope that helps anyone who may get the same issue.

Thanks