Veeam Validator: How to use with limited user?

[Camillerron]

I have been trying to use the validator for some time. With my own account (full access to Veeam and to the database) there' s is no problem. The validator runs without any problems.

Example:

Code: Select all

User: domain\username
Permissions: Veeam (full), local administrator, DB (full)

Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd C:\Program Files\Veeam\Backup and Replication\Backup

C:\Program Files\Veeam\Backup and Replication\Backup>Veeam.Backup.Validator.exe /backup:"JOBNAME" /report:"C:\test.html" /format:html /vmname:"VMNAME"
Veeam Backup Validator Version 11.0.0.0
Copyright (C) 2021 Veeam Software Group GmbH. All rights reserved.

Found the last restore point in backup, Id: {AAAAAAA-AAAAAAA-AA19-AAAAAAAAAA}.
Parameters:
    Backup ID:         {AAAAAAA-AAAAAAA-AA19-AAAAAAAAAA}
    Backup name:   Jobname
    Format:             Html
    Restore point date: Mittwoch, 26. Oktober 2022
    Restore point ID:   {BBBBBBBBBB-6666-AAAAAA-11111-AAAAAAAA}
    Restore point time: 13:00:58
    Report:             C:\test.html
    Silence:           no
    Skip:               no
    VM name:       VMNAME

Validating...

Validating VM...
    VM name:        VMNAME
    Creation time: 26.10.2022 13:01:41
    Backup type:   increment
    Platform:      VMware
    OS name:       Microsoft Windows Server 2016 or later (64-bit)
    
    [...]
    
    Statistic:
    VM count:            1
    Incomplete VM count: 0
    Failed VM count:     0
    Files count:         8
    Total size:          100,0 GB

Validation completed successfully.

So the validator works without any problems, as already mentioned above.

I want to have multiple backups checked and have written a script for this.
So that the script does not have to run with my user, I have created a new domain account.

The newly created user:

• is local administrator
• Veeam Backup Viewer (Veeam console) - changing to veeam backup administrator doesn't change anything
• DB permissions:
• __membership: db_datareader
• __Securables: Backup.Model.GetBackupsAll (stored procedure) - Grant: Execute

If I start the validator with the user I get the error message:

Code: Select all

Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\Veeam\Backup and Replication\Backup>Veeam.Backup.Validator.exe /backup:"JOBNAME" /report:"C:\test.html" /format:html /vmname:"VMNAME"
Veeam Backup Validator Version 11.0.0.0
Copyright (C) 2021 Veeam Software Group GmbH. All rights reserved.

Unable to get path commander.

I have already read through all the guides I can find.
Can someone tell me what permissions a user needs for Veeam Validator (Veeam, server and database)?
Any help is much appreciated

Greetings from germany.


Veeam: Veeam Backup & Replication 11.0.1.1261 P202220302
Veeam Backup Validator Version 11.0.0.0
MS-SQL: 15.0.4236.7

[Mildur]

Hi Camillerron

Does the command work if you run it manually outside of the script?
I created a new local admin account on my machine and run the Veeam.Backup.Validator.exe command. It worked without any issue.

Thanks
Fabian

[Camillerron]

Hi Fabian,

unfortunately, the result is the same.

Code: Select all

Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd "C:\Program Files\Veeam\Backup and Replication\Backup"

C:\Program Files\Veeam\Backup and Replication\Backup>Veeam.Backup.Validator.exe
Veeam Backup Validator Version 11.0.0.0
Copyright (C) 2021 Veeam Software Group GmbH. All rights reserved.

Either backup or file parameter must be specified

Starting with parameters

Code: Select all

C:\Program Files\Veeam\Backup and Replication\Backup>Veeam.Backup.Validator.exe /backup:"JOBNAME" /report:"C:\tmp\report_test.html" /format:html /vmname:"VMNAME"
Veeam Backup Validator Version 11.0.0.0
Copyright (C) 2021 Veeam Software Group GmbH. All rights reserved.

Unable to get path commander.

C:\Program Files\Veeam\Backup and Replication\Backup>

[Mildur]

Can you please try:

Code: Select all

.\Veeam.Backup.Validator.exe /backup:"JOBNAME" /report:"C:\tmp\report_test.html" /format:html /vmname:"VMNAME"

[Camillerron]

exact same result

Code: Select all

Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd C:\Program Files\Veeam\Backup and Replication\Backup

C:\Program Files\Veeam\Backup and Replication\Backup>.\Veeam.Backup.Validator.exe /backup:"jobname" /report:"C:\temp\test.html" /format:html /vmname:"vmname"
Veeam Backup Validator Version 11.0.0.0
Copyright (C) 2021 Veeam Software Group GmbH. All rights reserved.

Unable to get path commander.

C:\Program Files\Veeam\Backup and Replication\Backup>

[Mildur]

Thanks for testing. I tried again and it still works. There is not much left I can do over the forum.
I suggest opening a case with our support team and please share the case number with me.

Thanks
Fabian

[david.domask]

"__Securables: Backup.Model.GetBackupsAll (stored procedure) - Grant: Execute"

I can almost guarantee this is likely the issue. The path commander error is likely just that there is a call to other tables/procedures used to build the full path for various points.

Validator isn't really "standalone", it's using and tied to Veeam pretty intricately and it uses the database just like other operations (hence why you can feed it a backupID and it'll parse it)

I'm almost positive there's not an exact list for each StoredProcedure it'll need frankly speaking; can you try giving the account at least the same permissions listed for the Operating part here: https://helpcenter.veeam.com/docs/backu ... eplication And remove the restriction on StoredProcedures altogether.

See if it goes.

If you truly need to restrict access on this user or worry about the execution of some of the more potent stored procedures, you can probably set up a block for all that contain "Delete" or "Remove" and I'd suppose it will work, but again there's not an explicit list I'm aware of for the needed procedures.

[Camillerron]

I just tried with different permissions on the database.

Result:

• db_datareader + db_datawriter = The EXECUTE permission was denied on the object 'Backup.Model.GetBackupsAll', database '##Veeam__DB##', schema 'dbo'.
• db_datareader + db_datawriter + db_accessadmin = The EXECUTE permission was denied on the object 'Backup.Model.GetBackupsAll', database '##Veeam__DB##', schema 'dbo'.
• db_datareader + db_datawriter + db_accessadmin + db_backupoperator = The EXECUTE permission was denied on the object 'Backup.Model.GetBackupsAll', database '##Veeam__DB##', schema 'dbo'.
• db_owner = works

We actually want to restrict the user so that he doesn't have full access to the DB unless it is absolutely necessary.
But if it does not work otherwise, we will leave the permissions as they are (db_owner).

Thanks a lot for the help.

[david.domask]

Hi @Camillerron,

I'm afraid that if it's not working with the others, then db_owner should be used, and you can just add logging to your script to show when Validator runs, and monitor logins for this account and find any outside of the start/end time.

I'm afraid I'm not so familiar with how you're locking down the account and why with datareader/writer it's throwing errors on the StoredProcedures, but if there's a way to just give it full access to the SP's, I assume it "should just work", but this is just a guess.