Powershell and restricted user role

[MPIDR]

Hi,

We would like to collect VBR backup statistics using Powershell on the VBR server itself and then copy the results file to another machine. The only commands used are Connect-VBRServer, Get-VBRBackup and Get-VBRBackupSession. I thought I could use a Veeam Backup Viewer role service account (non-MFA) for this task. Unfortunately, a Veeam Backup Administrator (!) role service account (non-MFA) is required: "Only users with Veeam Backup Administrator role assigned can use Veeam Backup Powershell Snap-in".

This entirely ruins our security concept (MFA only for all remote sessions) and I was wondering how you are dealing with this challenge.

Best regards,
MPIDR

[david.domask]

Hi @MPIDR,

Regrettably with Powershell that will not be possible at this time. I think our REST API endpoints are what you're hoping for as at least Enterprise Manager has the roles you're needing.

Overview - Veeam Backup REST API Reference
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Overview - Veeam Backup & Replication REST API Reference
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

[MPIDR]

Hi David,

Thanks for confirming this is currently not working. We will now check the REST API you suggested.

If I may, I'd like to add a feature request which allows Veeam Backup Viewers to use Powershell but with a restricted set of GET and other non-invasive commands.

Best regards,
MPIDR

[david.domask]

Glad I could advise, and sure, consider the request submitted)) There are ways you can do this natively with Powershell but it would be at risk of any "knows enough to be dangerous" power users you have maybe recognizing this and working around it:

post456103.html#p456103

So there are some options via either REST API or you can use native PS profiles like I shared in the above post.

[chsuscale]

There's a super easy way to "come around the MFA":
C:\Admin\SysinternalsSuite\PsExec.exe -s -i powershell.exe -ExecutionPolicy Bypass C:\Admin\scripts\veeam\Get-TapeCount.ps1
(works also for planned jobs in the Task Planner"

[david.domask]

It's a usable solution for sure chsuscale, but for other readers please note that this will start a Powershell session as the SYSTEM user; depending on your script purpose, this might impact the execution of the script in specific situations related to permissions (e.g., consider you have an encrypted file the backup service account is allowed to read to get client secrets to pass to Powershell, you may need to confirm you still have access with this workaround)