Allow access to VEB for only specific user?!

[folerx]

Is it possible to allow access to VEB to only specific user account? Want deny access to other users accounts even if is user is in admin group.
Or is it possible to make this via application control in some antivirus solutions?

[Vitaliy S.]

Hi Daniel,

No, that's not possible. All local administrator accounts can access VEB UI, however in LabTech integration we have a way to provide read-only access to all users using VEB. Can you please elaborate on your use case a bit more? Maybe we will be able to find a workaround for you.

Thanks!

[folerx]

Want to prevent user to change or stop backup. I try to play with ntfs acl and seems that this work. Also i can hide tray icon and folder.

[Vitaliy S.]

Got it, yes, ACLs could be a possible solution. Alternatively, there should be a way to hide any icon via GPOs too.

[folerx]

Yes, gpo can delete icon and can hide folder and set acl to folder. Can make script for this and run it after install

[Mike Resseler]

Daniel,

I'm pretty sure that many people are interested in your script so feel free to share it with the community afterwards

Mike

[folerx]

Process is something like this:
1. Install veb
2. Configure veb
3.Create new backup user which will have access to VEB, (local or domain user), (example, name it "endpoint"), and put it in local computer admin group. You can do this via gpo or on local machine.
Other steps is explained in script...

Many task you can automate via gpo. Like hiding folder, set acl, create scheduled task, remove tray icon etc...To configure veb use mouserobot or similar macro recorder. Nice to see how mouse and keybord jump on screen without user interaction

Script is very primitive but do job. You need to customize user names, domain bla bla...Maybe experts from Veeam can assist. I set acl only to "C:\Program Files\Veeam\Endpoint Backup" folder. Maybe is needed also for C:\ProgramData\Veeam? Copy/paste in notepad++, save as name.cmd, run as administrator.

Code: Select all

rem This line add new local user. Remove rem at beginning if you need this line. 
rem net user /add [username] [password]
rem Lines 4 and 5 will add user to local administrators group. Use your own domain name and user name. domain user line 4, local user line 5. Remove rem at beginning your line.
rem net localgroup administrators domain\user /add
rem new localgroup administrators [username] /add
rem This command will grant ownership of the Veeam Endpoint Backup folder, and all files and subfolders in the folder, to local administrator group.
takeown /F "C:\Program Files\Veeam\Endpoint Backup" /A /R /D Y
rem This command will reset ntfs acl to default
icacls "C:\Program Files\Veeam\Endpoint Backup\*" /t /reset
rem This two commands command will set ntfs ACL. All files and subfolders in specified path will be processed. Inheritance is removed and full rights is set to administrator group and local system account. Specify your own domain name and/or user name.
Icacls "C:\Program Files\Veeam\Endpoint Backup" /inheritance:r
Icacls "C:\Program Files\Veeam\Endpoint Backup" /grant:r "domain\endpoint":(OI)(CI)F /T /grant:r "SYSTEM":(OI)(CI)F /T
rem This command hide C:\Program Files\Veeam folder and make it fake "system" folder. If user try to delete it windows will open warning window which can scare some "naughty" users.
attrib +h -r +s "C:\Program Files\Veeam\Endpoint Backup" /S /D
rem This line will create new scheduled task if you need to run VEB more than once per day. You can create almost continuous data protection. Run as system account.
schtasks.exe /create /ru SYSTEM /sc DAILY /tn Veeam_Endpoint_Backup /tr "\"C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe\" /backup" /ST 12:00:00 /SD 10/10/2016
rem This line will open Scheduled Task window for tweaking above task. Folder "Task Scheduler Library". 
Taskschd.msc