-
- Veteran
- Posts: 338
- Liked: 35 times
- Joined: Jan 20, 2012 2:36 pm
- Full Name: Christensen Farms
- Contact:
Saving to Windows Share with currently logged in credentials
When saving the backup to a windows share that the laptop user's logged in account has permissions to, do I still have to enter the user's credentials in the backup configuration? I can't seem to get it to work unless I specify credentials. If this is the case, then a feature request I would have is for the backup to use the currently logged in user's credentials. What will happen is I will get this setup for someone, and then a month from now their password will need to be changed and they will change it, but they won't remember to change it in the backup configuration and then their backups will not work from there on.
Other than that, looks great so far! Thanks for the free and useful software
Other than that, looks great so far! Thanks for the free and useful software
-
- VP, Product Management
- Posts: 27371
- Liked: 2799 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Saving to Windows Share with currently logged in credent
Hi Christensen,
Yes, you need to do this, as I believe that backup should not depend on the user that is currently logged in. I might be off base, but this feature request assumes that user HAS to be online/logged in every time he needs to do a backup? I prefer to sleep at nights and do not wait till backups are complete
P.S. thank you for your kind words on the Endpoint backup!
Thanks!
Yes, you need to do this, as I believe that backup should not depend on the user that is currently logged in. I might be off base, but this feature request assumes that user HAS to be online/logged in every time he needs to do a backup? I prefer to sleep at nights and do not wait till backups are complete
P.S. thank you for your kind words on the Endpoint backup!
Thanks!
-
- Veteran
- Posts: 338
- Liked: 35 times
- Joined: Jan 20, 2012 2:36 pm
- Full Name: Christensen Farms
- Contact:
Re: Saving to Windows Share with currently logged in credent
I can kind of see this, but from my view as a customer, I'd rather have backups set to run during the work day for end users and use currently logged in credentials and then not have to worry about whether the end user remembers to change the backup credentials when they change their password every 30 or 60 days. If some days the user's computer is not logged in or powered off, that's fine, we can miss a day or two of backup.
I gave some thought around using one universal account that has very high permissions for everyone, like a service account, but I don't like that either. I have a file share open with subfolders for each user and then I limit each user's folder so that only their user account can access it.
I will be curious to see if others would prefer having the currently logged in user's credentials used instead of statically assigning them.
Thanks!
I gave some thought around using one universal account that has very high permissions for everyone, like a service account, but I don't like that either. I have a file share open with subfolders for each user and then I limit each user's folder so that only their user account can access it.
I will be curious to see if others would prefer having the currently logged in user's credentials used instead of statically assigning them.
Thanks!
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
Christensen,
I believe one service account might do the trick – you set up Endpoint under the service account and just forget about it. End-user will be able to see the Endpoint is running, but if it is not the administrative account then restore is forbidden. Therefore, the backup is running user see the stats in the CP and can even initiate the nonscheduled backup.
I believe one service account might do the trick – you set up Endpoint under the service account and just forget about it. End-user will be able to see the Endpoint is running, but if it is not the administrative account then restore is forbidden. Therefore, the backup is running user see the stats in the CP and can even initiate the nonscheduled backup.
-
- Veteran
- Posts: 338
- Liked: 35 times
- Joined: Jan 20, 2012 2:36 pm
- Full Name: Christensen Farms
- Contact:
Re: Saving to Windows Share with currently logged in credent
So this service account would need to be a domain account since it will be accessing a remote share to save to. If I created one domain backup account and added that account to each user's Local Admin groups on their PC, then gave that account permissions to the different backup locations for each user, would there be any security issue with that? Technically that service account could see everyone's backup folder on the network, but since this account password won't be known by the end user, is there any danger to setting that up initially to be what EndPoint Backup uses?
-
- Veteran
- Posts: 338
- Liked: 35 times
- Joined: Jan 20, 2012 2:36 pm
- Full Name: Christensen Farms
- Contact:
Re: Saving to Windows Share with currently logged in credent
I guess I should just ask how most places are doing this in a corporate environment. If you have:
User1
User2
User3
User4
User5
And you have a file share on the network with subfolders for each user:
\\backupserver\laptopbackups\User1
\\backupserver\laptopbackups\User2
\\backupserver\laptopbackups\User3
\\backupserver\laptopbackups\User4
\\backupserver\laptopbackups\User5
Then do you use one service account or do you use 5 different service accounts here for restricting access? If I use one service account, say "UserLaptopBackup" and give that service account local admin rights on each computer and also grand that account access to all user backup folders on the network, is that considered safe and best practice?
User1
User2
User3
User4
User5
And you have a file share on the network with subfolders for each user:
\\backupserver\laptopbackups\User1
\\backupserver\laptopbackups\User2
\\backupserver\laptopbackups\User3
\\backupserver\laptopbackups\User4
\\backupserver\laptopbackups\User5
Then do you use one service account or do you use 5 different service accounts here for restricting access? If I use one service account, say "UserLaptopBackup" and give that service account local admin rights on each computer and also grand that account access to all user backup folders on the network, is that considered safe and best practice?
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
Honestly, it’s up to you. I’d rather create 5 different account for each laptop to ensure end users won’t have access to every backup file. Even if they don’t know the creds and exact location they still can run FLR under this service account...is that considered safe and best practice?
By the way, you should be able to use local computer account for each laptops backup location.
-
- VP, Product Management
- Posts: 27371
- Liked: 2799 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Saving to Windows Share with currently logged in credent
If I were you I would configure user permissions to the share (backup server), so that each user has its own backups/folder and could run FLR operations if needed.
-
- Veteran
- Posts: 338
- Liked: 35 times
- Joined: Jan 20, 2012 2:36 pm
- Full Name: Christensen Farms
- Contact:
Re: Saving to Windows Share with currently logged in credent
So in the end, I need to create additional user accounts for each user that uses this and set that account to never expire. Setting it to never expire kind of defeats the purpose of having our normal account passwords expire at that point doesn't it?
How do I add local machine user accounts for access to a remote share on the network where backups would go?
I like this product, but I think it's kind of difficult to manage having a service account for the end user. If you do create second accounts for each user that don't expire, are they expected to remember that password I assume so they can do restores?
How do I add local machine user accounts for access to a remote share on the network where backups would go?
I like this product, but I think it's kind of difficult to manage having a service account for the end user. If you do create second accounts for each user that don't expire, are they expected to remember that password I assume so they can do restores?
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
Christensen,
Assuming this file share is in the domain you could add computer account for machines where Endpoint Backup resides. For granular permissions, just add computer account to permisson list on the fileshare subfolder.
Globally you can do it this way: create AD group for computers, let’s call it Endpoint Backups, with all the laptops added and set the group access file share as admin.
Assuming this file share is in the domain you could add computer account for machines where Endpoint Backup resides. For granular permissions, just add computer account to permisson list on the fileshare subfolder.
Globally you can do it this way: create AD group for computers, let’s call it Endpoint Backups, with all the laptops added and set the group access file share as admin.
-
- Enthusiast
- Posts: 85
- Liked: 14 times
- Joined: Oct 09, 2014 7:48 pm
- Full Name: Bryan
- Contact:
[MERGED] Managing users and multiple workstations
I'm curious what everyone is doing to manage Endpoint on several workstations? We've been using BackupPC for around 35 workstations for some time, but I'd prefer to roll everything into Veeam. I've already created a new repository on my B&R server and would like endpoints to use that, which I've done with my workstation. However, how do you manage access to the repository? I would prefer to be the one that sets up the software on their machine; if I leave it to them, we all know it won't get done. However, I also don't want users to be able to open the software and restore anything from any other machines. It's not a huge deal if they can't restore their own files from the repository, though it'd be nice. What's the best approach?
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
Hello Bryan,
We have an outgoing discussion regarding the user permissions, so I’ve merged your post to the existing thread.
We have an outgoing discussion regarding the user permissions, so I’ve merged your post to the existing thread.
-
- Enthusiast
- Posts: 85
- Liked: 14 times
- Joined: Oct 09, 2014 7:48 pm
- Full Name: Bryan
- Contact:
Re: Saving to Windows Share with currently logged in credent
Thanks.
I installed the agent on another machine today; on mine and that one I connected to the repository using my IT admin credentials. From my machine, under a separate account, I was able to bring up FLR for either machine. So it sounds like whether I'm using a B&R repository or a Windows share, I'd want to create a separate account for each machine. Our users have local admin, so they would be able to open the recovery tools.
I installed the agent on another machine today; on mine and that one I connected to the repository using my IT admin credentials. From my machine, under a separate account, I was able to bring up FLR for either machine. So it sounds like whether I'm using a B&R repository or a Windows share, I'd want to create a separate account for each machine. Our users have local admin, so they would be able to open the recovery tools.
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
In such case, specific service account sounds like a good solution. In addition, try to use computer account for each user’s machine like described above.Our users have local admin, so they would be able to open the recovery tools
-
- Enthusiast
- Posts: 85
- Liked: 14 times
- Joined: Oct 09, 2014 7:48 pm
- Full Name: Bryan
- Contact:
Re: Saving to Windows Share with currently logged in credent
I suppose an alternative would be to block users from performing restores and leaving that to IT. While users do have separate admin accounts, we also use software restriction policies, so I could put together a new SRP to block the local admins from opening Veeam executables. Then I would just need one service account for all machines with access to the Veeam repository (I'd prefer everything linked into B&R instead of using Windows shares). That seems a bit more manageable.
-
- Product Manager
- Posts: 14716
- Liked: 1703 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Saving to Windows Share with currently logged in credent
Bryan,
Perfect solution!
Perfect solution!
Who is online
Users browsing this forum: Semrush [Bot] and 28 guests