Backup of Box running VBR without bypassing UAC?

[SmallBuxiness789]

Case #04391064

Hi Community.

We are having trouble backing up the box running VEEAM Backup & Replication CE software without bypassing UAC.

We have installed VBRCE on a box running Win 10 Workstation. Also we have installed Veeam Agent for Windows (Stand alone) on several Win 10 Pro boxes across the LAN. We are not using a Domain Controller nor Active Directory.

We are able to backup the Win 10 Pro boxes to the B&R Repository on the Win 10 Workstation box.

We are able to backup the Win 10 Workstation box to the B&R Repository on the Win 10 Workstation box (same box) when we disable UAC.(Using local admin account, not the built in one)

We are not able to backup the Win 10 Workstation box to the B&R Repository on the Win 10 Workstation box (same box) when we enable UAC. (Using local admin account, not the built in one)

Is there a way to backup the Win 10 Workstation box to the B&R Repository on the Win 10 Workstation box (same box) without bypassing UAC? (We prefer not to use the administrator account to bypass UAC.)

Thanks

[Dima P.]

Hello Joel,

You need to allow access to the host's administrative shares (Admin$, C$) while UAC is enabled. You need to add the following registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

Let me know how it goes!

[SmallBuxiness789]

Hi Dmitry.

Your solution worked!!! Thank you.

I understand that this registry edit permits admin accounts to connect remotely and preserve their elevated status.

"When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection by using the net use *\\remotecomputer\Share$ command, for example, they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks."

https://docs.microsoft.com/en-us/troubl ... estriction

We find it strange to see that this limitation also applies to a local admin on the same box, not remote.

Thanks

Joel

[Dima P.]

Thanks for the update Joel, glad to hear that it works! I am with you on that - looks like Microsoft addressed some potential security issues by disabling access to the admin shares for non-domain Windows deployments and for some reason disabled the local admin access as well.