-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
An AD "Veeam" Service Account - What Privilege?
Suppose you create a Veeam service in Active Directory and provide this account with sufficient admin credentials for application-aware processing and guest file system indexing.
Would it be better to add this service account to the Local Administrators group on all of your servers or would it be better to add the Domain Admin group only to this service account?
-MD
Would it be better to add this service account to the Local Administrators group on all of your servers or would it be better to add the Domain Admin group only to this service account?
-MD
-
- Veeam Software
- Posts: 856
- Liked: 154 times
- Joined: Feb 16, 2012 7:35 am
- Full Name: Rasmus Haslund
- Location: Denmark
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
I think that comes down to your local policies. Making an account domain admin could cause issues with audits, so setting a GPO to assign local admin rights on VM's only where needed might be better - but also mean much more management overhead.
Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Thank you for the reply.
So let me put pose another scenario using the Veeam service account as mentioned above.
Suppose that the Veeam service account has been breached.
Which admin group strategy, Local Admin or Domain Admin, would cause the least damage?
So let me put pose another scenario using the Veeam service account as mentioned above.
Suppose that the Veeam service account has been breached.
Which admin group strategy, Local Admin or Domain Admin, would cause the least damage?
-
- Veeam Legend
- Posts: 122
- Liked: 31 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Anytime a domain account is breached, that is more critical than local.
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Thanks for the input - great information and a good sanity check.
-
- Enthusiast
- Posts: 57
- Liked: 8 times
- Joined: Jul 13, 2009 12:50 pm
- Full Name: Mark
- Location: The Netherlands
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Something to keep in mind: a domain admin should have never been called "domain admin". The name *should* have been "domain controller admin".
So best practice is to never use a domain admin account for anything other then to logon on to domain controllers.
So best practice is to never use a domain admin account for anything other then to logon on to domain controllers.
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
One of the security best practices (at least around here where the AD is used by multiple organizations and managed centrally) is to remove the Domain Admins from your server local administrators group and have a different AD group with the accounts you need to have admin access (super-user accounts, service accounts that need admin access, etc.) added to the local administrators group on your servers through a GPO.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Oct 27, 2015 9:57 am
- Full Name: IWS
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Veeam admin account recommendation will be from security and auditing point of view to use local admin.
Scenario for different organization needs:
Small organization: Then we can use single domain user account and add to local admin on servers from were backup has to be done.
Medium and big organization: In medium and big organization where there is more security concern and many more administrators involved you should have multiple accounts created and added to local admin depending on application group, database group, and critical server group. If any one account is compromised also then it won’t affect all servers.
Scenario for different organization needs:
Small organization: Then we can use single domain user account and add to local admin on servers from were backup has to be done.
Medium and big organization: In medium and big organization where there is more security concern and many more administrators involved you should have multiple accounts created and added to local admin depending on application group, database group, and critical server group. If any one account is compromised also then it won’t affect all servers.
-
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Oct 27, 2015 9:57 am
- Full Name: IWS
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Please check this article from Microsoft about "Securing Critical and Service Accounts" this will explain in detail "Service Account Vulnerability Scenarios"
https://msdn.microsoft.com/en-us/library/cc875826.aspx
https://msdn.microsoft.com/en-us/library/cc875826.aspx
-
- Enthusiast
- Posts: 48
- Liked: 5 times
- Joined: Aug 23, 2013 1:06 pm
- Full Name: Joerg Renggli
- Location: Switzerland
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
Hi Community
I have asked that question about 3 years ago in a support ticket and the answer I got is this:
I have asked that question about 3 years ago in a support ticket and the answer I got is this:
I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.
-
- Influencer
- Posts: 19
- Liked: 2 times
- Joined: Jul 30, 2012 8:23 am
- Full Name: Jaroslav Haken
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
In AD environment, you can also use Restricted groups feature in Group Policy to add/remove Veeam account to local administrators group on machines you want to backup. It makes the whole process much easier and the "backup admin account" is locked within the specific group of machines.
It's a bit tricky though, because in case of Restricted groups you need "Force this group to be part of that group" which means to have security group only with the "Veeam admin" and the policy enforces membership of this group in local administrators. I tried also other approaches, but so far this one proved to be "not interfering, working and easy-to-maintain" one.
It's a bit tricky though, because in case of Restricted groups you need "Force this group to be part of that group" which means to have security group only with the "Veeam admin" and the policy enforces membership of this group in local administrators. I tried also other approaches, but so far this one proved to be "not interfering, working and easy-to-maintain" one.
-
- Veteran
- Posts: 528
- Liked: 144 times
- Joined: Aug 20, 2015 9:30 pm
- Contact:
Re: An AD "Veeam" Service Account - What Privilege?
This is incorrect. You can use VMTools (for VMWare) or Hyper-V Native Quiescence which means VMWare or Hyper-V will inform the guest to take a VSS snapshot rather than Veeam. This removes the need for Veeam to have admin access to the VM. I use this method for all of my VMs except for SQL Server VMs where I want Veeam to truncate the SQL transaction logs. I also use an admin accounts to do guest file system indexing on our file server VMs, but most VMs don't need this. Using native quiescing does not prevent you from doing app-aware restores using the Veeam Explorer tool for AD/Exchange/SQL/Oracle either.Hoegimator wrote:Hi Community
I have asked that question about 3 years ago in a support ticket and the answer I got is this:
Unfortunately it is impossible - we need access to ADMIN$ of the guest VM in order to upload VSS agents, and for generic VM you can you can use local admin, but it is disabled on DCs.
Another solution would be to backup this machine without VSS, but you would have to create DC DB using some other tool as it will be inconsistent without VSS.
I guess, if you want to have an consistent domaincontroller backup you need full administrator right on it.
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 72 guests