file level restore as user : found ! but is it legal

[jdelahaye]

Hi,

We are some people here who want to allows users to restore files on their own
I tried to change the manifest value in the FLR exe file from requireAdministrator to asInvoker and it was working.

But i have some questions before using that solution

Is that legal to modify only the manifest file
if not, can veeam developper supply an exe with a asInvoker manfest ?

please note: I did it in test purpose ONLY.

Best regards

[Dima P.]

Hi Jacky,

It's ok - no worries. I mostly interested were you able to restore the file without admin account? I was told that some operations (like mounting backup) are impossible without administrative account...

[jdelahaye]

i have only tested to restore file with a non admin account from the control panel.

i have used resource tuner to modify the MANIFEST resource inside the FLR exe file.
I have altered the value from requireAdmin to asInvoker

problem solved but i refuse to use that solution before beeing sure this isn't unlawful.

doc was restored in D:\ and personnal files folders only.



Best regards

[Mike Resseler]

Jacky,

I perfectly understand that you refuse to use it before you are sure you are not doing something illegal. I would be the same That being said. I am intrigued by it (and I am sure Dima is also ). I used asInvoker before (other projects) but it doesn't always gave me the results that I expected. Sometimes I needed asAdministrator in the manifest to get the work done... It actually surprises me (considering what we do in the backend that this would be enough rights but here you go ).

Dima and his team are extremely busy at this moment, but I wonder if you could (PM to Dima or me is fine) give me the exact steps that you did. Maybe our development team can reproduce it and then go through the logs what is happening and who knows... It might even get implemented (Although we have to think about other things such as when is it allowed as a user, when not etc... But that is up for discussion among us )

Thanks
Mike

[jdelahaye]

I feel really really angry,
I can't reproduce what i did, there is no way to connect to a repository if i lanch the FLR without admin rights from an local account. Veeam b&r is joined into a domain and i have given permission to everyone to write onto the repo.

I have made a test with my domain account wich give me administration rights.
It's a shame that i did those tests with a such account

Sorry

[Dima P.]

Hi Jacky,

Thank you for being creative and additional thank you for being honest. As I said before there is a technical limitation on some windows operations that could not be performed under non-admin account. Restore wizard may work, but actual restore process wont. We are aware of this behavior and working on a solution.

[jdelahaye]

hi,
I do some type of mistake because i am just starting in a IT job.
I should think before of that limitation and it is quite normal for security issue.

I have decided to create a new process in wich user who lose date will call our suport in the goal to a restore operator retrieve lost date from veeam b&r console and push data to a shared folder on the the laptop (D:\RESTORE on all laptop).
NTFS Permissions on the folder are modify for user and write only for operator.

I have written a procedure for the support team too.



Best regards

[Dima P.]

Jacky,

Sounds like a good plan.

[jdelahaye]

My boss have accepted my plan and I have submitted to him an itil process.
Thanks for your compliment

My solution is making the computer the owner of the archive and it is perfectly fine for laptops.
Veeam can be deployed via sccm with an auto it script wich contain zero ID for auto configuration.
The sole info on the auto it script is the repo name

Best regards

[jdelahaye]

Sorry for having suggested you to change only the manifest. Due to the quality of your software, I should known your are too experimented to do that sort of mistake

[Mike Resseler]

Jacky,

No apologies needed. We like this type of ideas. We do make mistakes from time to time and these type of messages can help us in making important changes to the solution. This one won't work but hey, another idea might be a good one...

[Markus Doll]

Dear all,

has there been any progress with regard to this topic?

We switch all of our clients to Veeam Endpoint Backup and are basically very happy with it.

The only thing that drives us crazy is the file level restore that keeps asking for admin credentials.

Your feedback is much appreciated.

Thanks!

Best,
Markus

[Vitaliy S.]

Markus, this will remain the same for v2 release, but this capability is still on our radar.

[riley.martin]

Are there any updates on this? We still have users that can not preform file level restores.

[HannesK]

Hello,
and welcome to the forums.

That problem was solved some years ago. Just check the Allow file level recovery without administrative account check box (assuming that you mange your agents centrally from Veeam Backup & Replication)

Best regards,
Hannes