Allow access to VEB for only specific user?!

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Allow access to VEB for only specific user?!

Veeam Logoby folerx » Sat Oct 08, 2016 7:56 am

Is it possible to allow access to VEB to only specific user account? Want deny access to other users accounts even if is user is in admin group.
Or is it possible to make this via application control in some antivirus solutions?
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Allow access to VEB for only specific user?!

Veeam Logoby Vitaliy S. » Sun Oct 09, 2016 7:26 pm

Hi Daniel,

No, that's not possible. All local administrator accounts can access VEB UI, however in LabTech integration we have a way to provide read-only access to all users using VEB. Can you please elaborate on your use case a bit more? Maybe we will be able to find a workaround for you.

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19570
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Allow access to VEB for only specific user?!

Veeam Logoby folerx » Sun Oct 09, 2016 7:31 pm

Want to prevent user to change or stop backup. I try to play with ntfs acl and seems that this work. Also i can hide tray icon and folder.
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Allow access to VEB for only specific user?!

Veeam Logoby Vitaliy S. » Mon Oct 10, 2016 10:00 am

Got it, yes, ACLs could be a possible solution. Alternatively, there should be a way to hide any icon via GPOs too.
Vitaliy S.
Veeam Software
 
Posts: 19570
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Allow access to VEB for only specific user?!

Veeam Logoby folerx » Mon Oct 10, 2016 10:02 am

Yes, gpo can delete icon and can hide folder and set acl to folder. Can make script for this and run it after install
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser

Re: Allow access to VEB for only specific user?!

Veeam Logoby Mike Resseler » Mon Oct 10, 2016 11:05 am

Daniel,

I'm pretty sure that many people are interested in your script so feel free to share it with the community afterwards ;-)

Mike
Mike Resseler
Veeam Software
 
Posts: 3171
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Allow access to VEB for only specific user?!

Veeam Logoby folerx » Mon Oct 10, 2016 2:41 pm 1 person likes this post

Process is something like this:
1. Install veb
2. Configure veb
3.Create new backup user which will have access to VEB, (local or domain user), (example, name it "endpoint"), and put it in local computer admin group. You can do this via gpo or on local machine.
Other steps is explained in script...

Many task you can automate via gpo. Like hiding folder, set acl, create scheduled task, remove tray icon etc...To configure veb use mouserobot or similar macro recorder. Nice to see how mouse and keybord jump on screen without user interaction :mrgreen: :mrgreen: :mrgreen:

Script is very primitive but do job. You need to customize user names, domain bla bla...Maybe experts from Veeam can assist. I set acl only to "C:\Program Files\Veeam\Endpoint Backup" folder. Maybe is needed also for C:\ProgramData\Veeam? :?: Copy/paste in notepad++, save as name.cmd, run as administrator.

Code: Select all
rem This line add new local user. Remove rem at beginning if you need this line.
rem net user /add [username] [password]
rem Lines 4 and 5 will add user to local administrators group. Use your own domain name and user name. domain user line 4, local user line 5. Remove rem at beginning your line.
rem net localgroup administrators domain\user /add
rem new localgroup administrators [username] /add
rem This command will grant ownership of the Veeam Endpoint Backup folder, and all files and subfolders in the folder, to local administrator group.
takeown /F "C:\Program Files\Veeam\Endpoint Backup" /A /R /D Y
rem This command will reset ntfs acl to default
icacls "C:\Program Files\Veeam\Endpoint Backup\*" /t /reset
rem This two commands command will set ntfs ACL. All files and subfolders in specified path will be processed. Inheritance is removed and full rights is set to administrator group and local system account. Specify your own domain name and/or user name.
Icacls "C:\Program Files\Veeam\Endpoint Backup" /inheritance:r
Icacls "C:\Program Files\Veeam\Endpoint Backup" /grant:r "domain\endpoint":(OI)(CI)F /T /grant:r "SYSTEM":(OI)(CI)F /T
rem This command hide C:\Program Files\Veeam folder and make it fake "system" folder. If user try to delete it windows will open warning window which can scare some "naughty" users.
attrib +h -r +s "C:\Program Files\Veeam\Endpoint Backup" /S /D
rem This line will create new scheduled task if you need to run VEB more than once per day. You can create almost continuous data protection. Run as system account.
schtasks.exe /create /ru SYSTEM /sc DAILY /tn Veeam_Endpoint_Backup /tr "\"C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe\" /backup" /ST 12:00:00 /SD 10/10/2016
rem This line will open Scheduled Task window for tweaking above task. Folder "Task Scheduler Library".
Taskschd.msc
folerx
Expert
 
Posts: 105
Liked: 8 times
Joined: Wed Jun 22, 2016 9:47 pm
Full Name: Daniel Kaiser


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: vitaliy.shende and 18 guests