Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
cffit
Veteran
Posts: 338
Liked: 35 times
Joined: Jan 20, 2012 2:36 pm
Full Name: Christensen Farms
Contact:

Saving to Windows Share with currently logged in credentials

Post by cffit »

When saving the backup to a windows share that the laptop user's logged in account has permissions to, do I still have to enter the user's credentials in the backup configuration? I can't seem to get it to work unless I specify credentials. If this is the case, then a feature request I would have is for the backup to use the currently logged in user's credentials. What will happen is I will get this setup for someone, and then a month from now their password will need to be changed and they will change it, but they won't remember to change it in the backup configuration and then their backups will not work from there on.

Other than that, looks great so far! Thanks for the free and useful software :)
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Vitaliy S. »

Hi Christensen,

Yes, you need to do this, as I believe that backup should not depend on the user that is currently logged in. I might be off base, but this feature request assumes that user HAS to be online/logged in every time he needs to do a backup? I prefer to sleep at nights and do not wait till backups are complete ;)

P.S. thank you for your kind words on the Endpoint backup!

Thanks!
cffit
Veteran
Posts: 338
Liked: 35 times
Joined: Jan 20, 2012 2:36 pm
Full Name: Christensen Farms
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by cffit »

I can kind of see this, but from my view as a customer, I'd rather have backups set to run during the work day for end users and use currently logged in credentials and then not have to worry about whether the end user remembers to change the backup credentials when they change their password every 30 or 60 days. If some days the user's computer is not logged in or powered off, that's fine, we can miss a day or two of backup.

I gave some thought around using one universal account that has very high permissions for everyone, like a service account, but I don't like that either. I have a file share open with subfolders for each user and then I limit each user's folder so that only their user account can access it.

I will be curious to see if others would prefer having the currently logged in user's credentials used instead of statically assigning them.

Thanks!
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

Christensen,
I believe one service account might do the trick – you set up Endpoint under the service account and just forget about it. End-user will be able to see the Endpoint is running, but if it is not the administrative account then restore is forbidden. Therefore, the backup is running user see the stats in the CP and can even initiate the nonscheduled backup.
cffit
Veteran
Posts: 338
Liked: 35 times
Joined: Jan 20, 2012 2:36 pm
Full Name: Christensen Farms
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by cffit »

So this service account would need to be a domain account since it will be accessing a remote share to save to. If I created one domain backup account and added that account to each user's Local Admin groups on their PC, then gave that account permissions to the different backup locations for each user, would there be any security issue with that? Technically that service account could see everyone's backup folder on the network, but since this account password won't be known by the end user, is there any danger to setting that up initially to be what EndPoint Backup uses?
cffit
Veteran
Posts: 338
Liked: 35 times
Joined: Jan 20, 2012 2:36 pm
Full Name: Christensen Farms
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by cffit »

I guess I should just ask how most places are doing this in a corporate environment. If you have:

User1
User2
User3
User4
User5

And you have a file share on the network with subfolders for each user:

\\backupserver\laptopbackups\User1
\\backupserver\laptopbackups\User2
\\backupserver\laptopbackups\User3
\\backupserver\laptopbackups\User4
\\backupserver\laptopbackups\User5

Then do you use one service account or do you use 5 different service accounts here for restricting access? If I use one service account, say "UserLaptopBackup" and give that service account local admin rights on each computer and also grand that account access to all user backup folders on the network, is that considered safe and best practice?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

is that considered safe and best practice?
Honestly, it’s up to you. I’d rather create 5 different account for each laptop to ensure end users won’t have access to every backup file. Even if they don’t know the creds and exact location they still can run FLR under this service account...

By the way, you should be able to use local computer account for each laptops backup location.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Vitaliy S. »

If I were you I would configure user permissions to the share (backup server), so that each user has its own backups/folder and could run FLR operations if needed.
cffit
Veteran
Posts: 338
Liked: 35 times
Joined: Jan 20, 2012 2:36 pm
Full Name: Christensen Farms
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by cffit »

So in the end, I need to create additional user accounts for each user that uses this and set that account to never expire. Setting it to never expire kind of defeats the purpose of having our normal account passwords expire at that point doesn't it?

How do I add local machine user accounts for access to a remote share on the network where backups would go?

I like this product, but I think it's kind of difficult to manage having a service account for the end user. If you do create second accounts for each user that don't expire, are they expected to remember that password I assume so they can do restores?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

Christensen,
Assuming this file share is in the domain you could add computer account for machines where Endpoint Backup resides. For granular permissions, just add computer account to permisson list on the fileshare subfolder.

Globally you can do it this way: create AD group for computers, let’s call it Endpoint Backups, with all the laptops added and set the group access file share as admin.
bdoe
Enthusiast
Posts: 85
Liked: 14 times
Joined: Oct 09, 2014 7:48 pm
Full Name: Bryan
Contact:

[MERGED] Managing users and multiple workstations

Post by bdoe »

I'm curious what everyone is doing to manage Endpoint on several workstations? We've been using BackupPC for around 35 workstations for some time, but I'd prefer to roll everything into Veeam. I've already created a new repository on my B&R server and would like endpoints to use that, which I've done with my workstation. However, how do you manage access to the repository? I would prefer to be the one that sets up the software on their machine; if I leave it to them, we all know it won't get done. However, I also don't want users to be able to open the software and restore anything from any other machines. It's not a huge deal if they can't restore their own files from the repository, though it'd be nice. What's the best approach?
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

Hello Bryan,
We have an outgoing discussion regarding the user permissions, so I’ve merged your post to the existing thread.
bdoe
Enthusiast
Posts: 85
Liked: 14 times
Joined: Oct 09, 2014 7:48 pm
Full Name: Bryan
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by bdoe »

Thanks.

I installed the agent on another machine today; on mine and that one I connected to the repository using my IT admin credentials. From my machine, under a separate account, I was able to bring up FLR for either machine. So it sounds like whether I'm using a B&R repository or a Windows share, I'd want to create a separate account for each machine. Our users have local admin, so they would be able to open the recovery tools.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

Our users have local admin, so they would be able to open the recovery tools
In such case, specific service account sounds like a good solution. In addition, try to use computer account for each user’s machine like described above.
bdoe
Enthusiast
Posts: 85
Liked: 14 times
Joined: Oct 09, 2014 7:48 pm
Full Name: Bryan
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by bdoe » 1 person likes this post

I suppose an alternative would be to block users from performing restores and leaving that to IT. While users do have separate admin accounts, we also use software restriction policies, so I could put together a new SRP to block the local admins from opening Veeam executables. Then I would just need one service account for all machines with access to the Veeam repository (I'd prefer everything linked into B&R instead of using Windows shares). That seems a bit more manageable.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Saving to Windows Share with currently logged in credent

Post by Dima P. »

Bryan,
Perfect solution!
Post Reply

Who is online

Users browsing this forum: No registered users and 41 guests