Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Backup.Operator · Apr 05, 2023 2:06 pm

According to the latest Veeam Backup v12 documentation, Group Managed Service Accounts (gMSA) are supported for Veeam Service Accounts.

How do I accomplish that for my Veeam Backup server?
What privileges should I assign to the VMware vCenter when using this gMSA?

Anything of help would be much appreciated.

Apr 05, 2023 2:33 pm

Hi Backup Operator

Where do you have seen that you can use gMSA for vCenter Connection?
gMSA can be used for guest processing tasks. Such as Application Aware Processing or Guest OS File restore.

Best,
Fabian

Backup.Operator · Apr 05, 2023 2:37 pm

From https://helpcenter.veeam.com/docs/backu ... ml?ver=120
So I wonder is there any procedure I can follow to replace all of my service account with gMSA?

Post by **Mildur** » Apr 05, 2023 2:45 pm this post

I read on top of this page:
- You can use gMSAs to run guest processing tasks.

Nothing about other components or vSphere connection.

Best,
Fabian

albertwt · Post by **albertwt** » Apr 06, 2023 12:30 am this post

@Backup.Operator,

The gMSA is the service account that will be used by Veeam to interact with the Windows Guest OS, this is the way I create the gMSA for my Veeam Service account:

Code: Select all

$paramNewADServiceAccount = @{
   Name                                       = 'gMSA-Veeam'
   DNSHostName                                = 'gMSA-Veeam.domain.com'
   PrincipalsAllowedToRetrieveManagedPassword = 'gMSA-Veeam-grp'
   Description                                = 'Veeam service account can only be used by gMSA-Veeam-grp AD group members'
}

New-ADServiceAccount @paramNewADServiceAccount

Therefore as you can see from the above method, you will need to add the Windows computer to the AD security group that will be using the guest processing methods.

Hope this helps.

Backup.Operator · Jun 30, 2023 5:56 am

Would it be possible to use the Group managed service accounts (gMSAs) for the Veeam Backup service account?

Because I cannot even add the existing and the newly created Group managed service accounts (gMSAs) to the builtin Veeam Credentials manager:

Any clarification would be appreciated.

Jun 30, 2023 10:40 am

Hello,
it looks like you asked the same question above and my colleague quoted the user guide

user guide wrote:You can use gMSAs to run guest processing tasks.

Question: why do you want to run the service with gMSA instead of LOCAL SYSTEM? Which problem do you try to solve?

I cannot follow what the credentials screenshot is showing. It looks different for me https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best regards,
Hannes

Backup.Operator · Aug 02, 2023 3:05 pm

Hi @

I am trying to secure the Service Account using the gMSA as the best practice where possible since there is no need for remembering and rotating passwords.

Can I add the gMSA to the below vCenter role using this script https://github.com/falkobanaszak/vCente ... _Veeam.ps1

Post by **Mildur** » Aug 03, 2023 7:09 am this post

Hello

You cannot use a gMSA for the authentication between Veeam and vCenter.
Even if you use Falko's script to give gMSA vCenter permissions, Veeam wouldn't be able to use it.

Best,
Fabian

R&D Forums

Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

[MERGED] Using Group managed service accounts (gMSAs) as Veeam backup service account?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Re: Group Managed Service Accounts (gMSA) for Veeam & vCenter ?

Who is online