Comprehensive data protection for all workloads
Post Reply
Hammy
Influencer
Posts: 19
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

account requires local admin rights

Post by Hammy »

Hello all, I am having some difficulties with a customer trying to get them to understand that the account running the backup jobs requires local administrator rights on the VM guest to allow VEEAM VSS to work. The permission requirements in the user guide doesn't exactly state this requirement clearly.

I am using VEEAM ver 5.0 for 8 separate sites and I am having to run the actual jobs with my own account for them to complete successfully. The service account provided has been given the rights to install to the backup server and SQL server but the jobs themselves fail as they don't have local admin rights on the individual VM guests at each site. So I am in essence running a workaround to get by. I can't even get the Virtual Centre server added due to perm issues. All backups currently running to local ESXi hosts using root login in the GUI and jobs themselves with my account.

Can anyone point me to an official VEEAM statement or line in the user guide that states it in case its just me not reading it correctly or understanding it.

Cheers

H
:(
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

If you want to use "application-aware image processing" option you need to specify an account with local admin privileges on the VMs being processed. This is stated directly in the UI, and in the User Guide (page 24).
Hammy
Influencer
Posts: 19
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: account requires local admin rights

Post by Hammy »

Thank you, here is hoping this info will be acceptable to our customer.

H
mmartin
Novice
Posts: 8
Liked: never
Joined: Jun 11, 2011 11:39 am
Full Name: Michael Martin
Contact:

Veeam Permissions for VSS

Post by mmartin »

[merged]

Hi folks,

I am trying to document our setup for Veeam on our customers - when I asked our engineers what permissions they give the account that Veeam uses for VSS access to windows boxes they all said Domain Admins.

I am wondering if there is a more restrictive account you can use for accessing VSS so as not to have to give the veeam account domain admin rights which is a very high level permission.

Or can you create an account and then assign VSS permissions to it.

Just an FYI we are running Veeam 6

Thanks

Michael
Maieu_san
Service Provider
Posts: 19
Liked: 2 times
Joined: Oct 05, 2011 6:28 am
Full Name: Steven Maieu
Contact:

Application-aware image Processing Admin Rights.

Post by Maieu_san »

[merged]

Hi,

I have a question in regards of the rights the local administrator needs to be able to do application-aware image processing.
I was planning on creating a new admin user, with limited rights so it can only be used to take those backups.
But I'm not able to find anywhere what rights are needed, only that it needs to be a local administrator account.
Does this account need the full admin rights?

thanks in advance for the responses!

best regards,
Steven
claudiofolu
Enthusiast
Posts: 78
Liked: 4 times
Joined: Jan 12, 2012 3:45 am
Full Name: claudiofolu
Contact:

VSS Windows User privileges

Post by claudiofolu »

[merged]

Hello
When we are defining a new Job, and Enable VSS integration option selected,, anyone knows what kind of privileges must the user have?, in order the Veeam VSS agent work properly?
I mean I know the documentation says that administrator credentials are required to access the guest OS, but we can´t do that for security reasons. A Windows Copy Operator profile sould work?

Thanks
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

No, Windows Copy Operator profile wouldn't be enough, local admin privileges are still required.
ortoscale
Service Provider
Posts: 246
Liked: 20 times
Joined: Aug 02, 2011 9:30 pm
Full Name: Matjaž Antloga
Location: Celje, Slovenia
Contact:

Re: account requires local admin rights

Post by ortoscale »

Customer can create special veeam user in AD and add it as a local admin on all VMs that needs to be backed up. With secure password to be undestand. And then enter it once while editing job sitting behind your keyboard. :idea:
ceez
Enthusiast
Posts: 59
Liked: 3 times
Joined: Feb 18, 2014 2:10 pm
Full Name: Cesar
Contact:

[MERGED] What membership to select for AD account used for V

Post by ceez »

Hello everyone,

As per the article below for I need for VSS an account with administrative privileges, what account membership can I use that is not domain administrator?

http://helpcenter.veeam.com/backup/70/v ... y_vss.html

I need to create an account in AD but do not want to give it domain admin memberships.

Thanks,
Ceez
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

You can specify any account that has local admin privileges on the processed VM. Thanks!
jalean
Novice
Posts: 6
Liked: never
Joined: Jan 21, 2015 2:34 pm
Full Name: James Lean
Contact:

[MERGED] Permissions required for Sharepoint application bac

Post by jalean »

We have just set up a new Sharepoint installation, with two front-end app servers and a separate back-end SQL server. We have created a backup job in Veeam 7.0 to take daily backups of the two app servers (the SQL server is backed up using native SQL jobs currently). In the job properties we have ticked the option to "Enable application-aware image processing", and enabled our usual Guest credentials.

Every day when the backup job runs, our SQL monitoring fires alerts showing login failures from the Guest account, trying to connect to the SQL server from each of the app servers (the account currently doesn't have access to SQL).

I assume the application-aware backup process is trying to query Sharepoint in some way, and as a result, trying to query SQL. My question is, what permissions do I need to grant, either within Sharepoint or directly in to SQL Server, in order for this process to work correctly? Also, if this does work, will the backup job attempt to take any kind of backup of the SQL databases? If so, this may interfere with the native backup jobs that are already configured.

FYI, the backup jobs of the two app servers appear to complete successfully, although they both contain this log message:

20/01/2015 18:02:13 :: Failed to inventory guest system: Cannot get host information.
Cannot collect host info.
Microsoft SharePoint farm topology collector process is failed with exit code -1
Win32 error:The operation completed successfully.
Code: 0
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

What account do you use currently in the backup job? Does is have local admin privileges?
jalean
Novice
Posts: 6
Liked: never
Joined: Jan 21, 2015 2:34 pm
Full Name: James Lean
Contact:

Re: account requires local admin rights

Post by jalean »

Yes, the account in the backup job has local admin rights (it is actually in the domain admins group). However by default in SQL 2012, local admins do not have any permissions to connect to SQL.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

jalean wrote:FYI, the backup jobs of the two app servers appear to complete successfully, although they both contain this log message:
Is this displayed in the job summary or you have spotted it in the debug log?

Domain admins is not the same as local admins on the machine, so there could be difference as well. Can you try a local admin account and run the job?
jalean wrote:Also, if this does work, will the backup job attempt to take any kind of backup of the SQL databases? If so, this may interfere with the native backup jobs that are already configured.
Sorry missed this question for some reason. Yes, since you've enabled application-aware image processing then VSS writers will be triggered for SQL Server.

Please take a look at these topic for more info > Veeam Backup for SQL Servers and SQL: Do not truncate logs ignored

If you're planning to upgrade to v8, then new job type (SQL backup job) might replace your native tool backups > Best Practice to Backup Replicated Virtual Machine

Thanks!
jalean
Novice
Posts: 6
Liked: never
Joined: Jan 21, 2015 2:34 pm
Full Name: James Lean
Contact:

Re: account requires local admin rights

Post by jalean »

The message appears in the job summary.

The account does have local admin permissions on the server - Domain Admins by default is a member of the local Admins group. It just doesn't have any permissions to connect to SQL.

As an experiment I granted the user sysadmin privileges into SQL last night, and we didn't get the login failure alerts, or the message in the Veeam backup job. However, there was no evidence of it having taken any kind of SQL backup, which is what I would expect - remember the SQL databases are on a separate server, which isn't part of any job in Veeam - only the two app servers are being backed up.

It still appears that the only reason it's connecting to SQL is to try and inventory the Sharepoint system as part of the Application-Aware processing on the app servers - it's not actually trying to backup the SQL databases.

We are currently trialling the improved SQL backups in Veeam 8.0 (point-in-time restores etc.) so hopefully we will start using that for the SQL server too soon anyway, at which point I guess we will still need to provide sysadmin access to the user account.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. » 1 person likes this post

Hi James,

Yes, you were right. When SharePoint VM is backed up, Veeam backup server also establishes connection to the SQL Server hosting SharePoint data, this is required for a proper application-aware backup.

I have just talked to our dev team, and they said that these permissions should be enough:

Code: Select all

On the SQL Server instance level:
-Dbcreator
-public

On the database level:
-db_backupoperator
-db_denydatareader 
-public

Securables:
-view any definition 
-view server state
Let me know if that helps!
jalean
Novice
Posts: 6
Liked: never
Joined: Jan 21, 2015 2:34 pm
Full Name: James Lean
Contact:

Re: account requires local admin rights

Post by jalean »

Thanks for the info. It may be a while before we get the SQL server into Veeam 8.0, but I'll let you know if we get any further issues.
leeg123
Enthusiast
Posts: 40
Liked: 2 times
Joined: Dec 13, 2010 12:50 am
Full Name: lee garet
Contact:

Re: account requires local admin rights

Post by leeg123 »

Just completed upgrade to Patch 2 for several clients. Getting these truncate errors in many places. Is there a walkthrough on setting these SQL permissions? Some of these servers are SharePoint, and some are just SQL 2008
I went thought SQL management studio but not exactly clear what I should do

Thanks

lee
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: account requires local admin rights

Post by Vitaliy S. »

You either need to go to security properties (via SQL Management Studio) of the databases and select the granular permissions above or assign administrative permissions to the entire SQL Server instance for the account specified in the application-aware image processing option.

Let me know if that helps.
leeg123
Enthusiast
Posts: 40
Liked: 2 times
Joined: Dec 13, 2010 12:50 am
Full Name: lee garet
Contact:

Re: account requires local admin rights

Post by leeg123 »

Thanks


We happen to be using domain\administrator
We added sysadmin privileges, but that didn’t seem to do anything different
Because this is a SharePoint SQL database, I was hoping that maybe we missed something else


-lee
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: account requires local admin rights

Post by foggy »

Are you positive logs have been actually truncated on the affected instances previously?
Post Reply

Who is online

Users browsing this forum: ante_704, Bing [Bot], chad.aiken and 296 guests