Saving to Windows Share with currently logged in credentials

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Saving to Windows Share with currently logged in credentials

Veeam Logoby cffit » Thu Dec 18, 2014 5:32 pm

When saving the backup to a windows share that the laptop user's logged in account has permissions to, do I still have to enter the user's credentials in the backup configuration? I can't seem to get it to work unless I specify credentials. If this is the case, then a feature request I would have is for the backup to use the currently logged in user's credentials. What will happen is I will get this setup for someone, and then a month from now their password will need to be changed and they will change it, but they won't remember to change it in the backup configuration and then their backups will not work from there on.

Other than that, looks great so far! Thanks for the free and useful software :)
cffit
Expert
 
Posts: 338
Liked: 33 times
Joined: Fri Jan 20, 2012 2:36 pm
Full Name: Christensen Farms

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Vitaliy S. » Thu Dec 18, 2014 9:44 pm

Hi Christensen,

Yes, you need to do this, as I believe that backup should not depend on the user that is currently logged in. I might be off base, but this feature request assumes that user HAS to be online/logged in every time he needs to do a backup? I prefer to sleep at nights and do not wait till backups are complete ;)

P.S. thank you for your kind words on the Endpoint backup!

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19573
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby cffit » Thu Dec 18, 2014 10:14 pm

I can kind of see this, but from my view as a customer, I'd rather have backups set to run during the work day for end users and use currently logged in credentials and then not have to worry about whether the end user remembers to change the backup credentials when they change their password every 30 or 60 days. If some days the user's computer is not logged in or powered off, that's fine, we can miss a day or two of backup.

I gave some thought around using one universal account that has very high permissions for everyone, like a service account, but I don't like that either. I have a file share open with subfolders for each user and then I limit each user's folder so that only their user account can access it.

I will be curious to see if others would prefer having the currently logged in user's credentials used instead of statically assigning them.

Thanks!
cffit
Expert
 
Posts: 338
Liked: 33 times
Joined: Fri Jan 20, 2012 2:36 pm
Full Name: Christensen Farms

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Dima P. » Thu Dec 18, 2014 11:02 pm

Christensen,
I believe one service account might do the trick – you set up Endpoint under the service account and just forget about it. End-user will be able to see the Endpoint is running, but if it is not the administrative account then restore is forbidden. Therefore, the backup is running user see the stats in the CP and can even initiate the nonscheduled backup.
Dima P.
Veeam Software
 
Posts: 6261
Liked: 441 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby cffit » Mon Apr 13, 2015 3:55 pm

So this service account would need to be a domain account since it will be accessing a remote share to save to. If I created one domain backup account and added that account to each user's Local Admin groups on their PC, then gave that account permissions to the different backup locations for each user, would there be any security issue with that? Technically that service account could see everyone's backup folder on the network, but since this account password won't be known by the end user, is there any danger to setting that up initially to be what EndPoint Backup uses?
cffit
Expert
 
Posts: 338
Liked: 33 times
Joined: Fri Jan 20, 2012 2:36 pm
Full Name: Christensen Farms

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby cffit » Mon Apr 13, 2015 7:47 pm

I guess I should just ask how most places are doing this in a corporate environment. If you have:

User1
User2
User3
User4
User5

And you have a file share on the network with subfolders for each user:

\\backupserver\laptopbackups\User1
\\backupserver\laptopbackups\User2
\\backupserver\laptopbackups\User3
\\backupserver\laptopbackups\User4
\\backupserver\laptopbackups\User5

Then do you use one service account or do you use 5 different service accounts here for restricting access? If I use one service account, say "UserLaptopBackup" and give that service account local admin rights on each computer and also grand that account access to all user backup folders on the network, is that considered safe and best practice?
cffit
Expert
 
Posts: 338
Liked: 33 times
Joined: Fri Jan 20, 2012 2:36 pm
Full Name: Christensen Farms

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Dima P. » Mon Apr 13, 2015 10:01 pm

is that considered safe and best practice?

Honestly, it’s up to you. I’d rather create 5 different account for each laptop to ensure end users won’t have access to every backup file. Even if they don’t know the creds and exact location they still can run FLR under this service account...

By the way, you should be able to use local computer account for each laptops backup location.
Dima P.
Veeam Software
 
Posts: 6261
Liked: 441 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Vitaliy S. » Tue Apr 14, 2015 9:33 am

If I were you I would configure user permissions to the share (backup server), so that each user has its own backups/folder and could run FLR operations if needed.
Vitaliy S.
Veeam Software
 
Posts: 19573
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby cffit » Tue Apr 14, 2015 1:05 pm

So in the end, I need to create additional user accounts for each user that uses this and set that account to never expire. Setting it to never expire kind of defeats the purpose of having our normal account passwords expire at that point doesn't it?

How do I add local machine user accounts for access to a remote share on the network where backups would go?

I like this product, but I think it's kind of difficult to manage having a service account for the end user. If you do create second accounts for each user that don't expire, are they expected to remember that password I assume so they can do restores?
cffit
Expert
 
Posts: 338
Liked: 33 times
Joined: Fri Jan 20, 2012 2:36 pm
Full Name: Christensen Farms

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Dima P. » Wed Apr 15, 2015 2:56 pm

Christensen,
Assuming this file share is in the domain you could add computer account for machines where Endpoint Backup resides. For granular permissions, just add computer account to permisson list on the fileshare subfolder.

Globally you can do it this way: create AD group for computers, let’s call it Endpoint Backups, with all the laptops added and set the group access file share as admin.
Dima P.
Veeam Software
 
Posts: 6261
Liked: 441 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

[MERGED] Managing users and multiple workstations

Veeam Logoby bdoe » Wed May 06, 2015 4:43 pm

I'm curious what everyone is doing to manage Endpoint on several workstations? We've been using BackupPC for around 35 workstations for some time, but I'd prefer to roll everything into Veeam. I've already created a new repository on my B&R server and would like endpoints to use that, which I've done with my workstation. However, how do you manage access to the repository? I would prefer to be the one that sets up the software on their machine; if I leave it to them, we all know it won't get done. However, I also don't want users to be able to open the software and restore anything from any other machines. It's not a huge deal if they can't restore their own files from the repository, though it'd be nice. What's the best approach?
bdoe
Enthusiast
 
Posts: 61
Liked: 11 times
Joined: Thu Oct 09, 2014 7:48 pm
Full Name: Bryan

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Dima P. » Wed May 06, 2015 5:39 pm

Hello Bryan,
We have an outgoing discussion regarding the user permissions, so I’ve merged your post to the existing thread.
Dima P.
Veeam Software
 
Posts: 6261
Liked: 441 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby bdoe » Wed May 06, 2015 6:34 pm

Thanks.

I installed the agent on another machine today; on mine and that one I connected to the repository using my IT admin credentials. From my machine, under a separate account, I was able to bring up FLR for either machine. So it sounds like whether I'm using a B&R repository or a Windows share, I'd want to create a separate account for each machine. Our users have local admin, so they would be able to open the recovery tools.
bdoe
Enthusiast
 
Posts: 61
Liked: 11 times
Joined: Thu Oct 09, 2014 7:48 pm
Full Name: Bryan

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby Dima P. » Thu May 07, 2015 11:41 am

Our users have local admin, so they would be able to open the recovery tools

In such case, specific service account sounds like a good solution. In addition, try to use computer account for each user’s machine like described above.
Dima P.
Veeam Software
 
Posts: 6261
Liked: 441 times
Joined: Mon Feb 04, 2013 2:07 pm
Location: SPb
Full Name: Dmitry Popov

Re: Saving to Windows Share with currently logged in credent

Veeam Logoby bdoe » Thu May 07, 2015 1:28 pm 1 person likes this post

I suppose an alternative would be to block users from performing restores and leaving that to IT. While users do have separate admin accounts, we also use software restriction policies, so I could put together a new SRP to block the local admins from opening Veeam executables. Then I would just need one service account for all machines with access to the Veeam repository (I'd prefer everything linked into B&R instead of using Windows shares). That seems a bit more manageable.
bdoe
Enthusiast
 
Posts: 61
Liked: 11 times
Joined: Thu Oct 09, 2014 7:48 pm
Full Name: Bryan

Next

Return to Veeam Agent for Windows



Who is online

Users browsing this forum: alainhebrard, Google [Bot], opg70, Yahoo [Bot] and 17 guests