Backup account permissions?

[WingDog]

Hello.
I'm using vbr8 for some time and was totally surpised to get error
"Failed to finalize guest processing. Details: Failed to process 'TruncateSQLLog' command. Failed to logon user [domain\user] Win32 error:Logon failure: the user has not been granted the requested logon type at this computer. Code: 1385".
while investigating this issue I've found new GPO with some restictions for this user:
- deny logon locally
- deny RDP logon
it's seems to be ok, but not.
Account using for AAP must have local logon permisson.
why? where is local logon while VM backup?

I've changed this GPO and now this user can logon locally and backups work fine.
can anyone explain this?

[Shestakov]

Hello Kirill,
What version of VBR are you at? Thanks!

[WingDog]

Hello Kirill,
What version of VBR are you at? Thanks!

Hello, Nikita.
8.0.0.2021

[Shestakov]

Truncation of SQL logs is done under user account specified in AAIP in Job settings, in a case of failure, GuestHelper tries to truncate transaction logs under LocalSystem account.

In order to understand why SQL logs truncation failed you need to open the GuestHelper log in Guest VM:
\\GUESTVM\c$\ProgramData\Veeam\Backup\VeeamGuestHelper_%date%.log (for Windows 2008 or higher) and search within the log using keyphrase "Truncate Statistics"
Thanks!

[WingDog]

Truncation of SQL logs is done under user account specified in AAIP in Job settings, in a case of failure, GuestHelper tries to truncate transaction logs under LocalSystem account.

In order to understand why SQL logs truncation failed you need to open the GuestHelper log in Guest VM:
\\GUESTVM\c$\ProgramData\Veeam\Backup\VeeamGuestHelper_%date%.log (for Windows 2008 or higher) and search within the log using keyphrase "Truncate Statistics"
Thanks!

Code: Select all

16.06.2015 22:12:14   5452  INFO        RPC: truncation SQL logs.
16.06.2015 22:12:14   5452                  Job UID: '{4265cb25-8a43-4d33-aeb2-fd46426e41ef}'.
16.06.2015 22:12:14   5452                  Login: DOMAIN\USER
16.06.2015 22:12:14   5452                      Truncating SQL logs
16.06.2015 22:12:14   5452                              Enumerating SQL instances
16.06.2015 22:12:14   5452                                  Opening registry path: [SOFTWARE\Microsoft\Microsoft SQL Server]
16.06.2015 22:12:14   5452                                  SQL instance found: [MICROSOFT##SSEE].
16.06.2015 22:12:14   5452                              Enumerating SQL instances. Ok.
16.06.2015 22:12:14   5452                              Enumerating SQL instances
16.06.2015 22:12:14   5452                                  Opening registry path: [SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server]
16.06.2015 22:12:14   5452                                  SQL instance found: [ADK].
16.06.2015 22:12:14   5452                                  SQL instance found: [BKUPEXEC].
16.06.2015 22:12:14   5452                              Enumerating SQL instances. Ok.
16.06.2015 22:12:14   5452                      Truncating SQL logs. Failed.
16.06.2015 22:12:14   5452  INFO        RPC: truncation SQL logs.. Failed.
16.06.2015 22:12:14   5452  ERR     BlobCall() error.
16.06.2015 22:12:14   5452  ERR         Failed to process 'TruncateSQLLog' command.
16.06.2015 22:12:14   5452  ERR         Failed to logon user [DOMAIN\USER]
16.06.2015 22:12:14   5452  ERR         Win32 error:Вход в систему не произведен: выбранный режим входа для данного пользователя на этом компьютере не предусмотрен.
16.06.2015 22:12:14   5452  ERR          Code: 1385
16.06.2015 22:12:19   2964              Waiting while plugins finish its jobs.

[Shestakov]

So yes, the problem is a lack of permissions for the user.
And the solution is to give DOMAIN\user permissions on SQL instance and add db_backupoperator role for all FULL and BULK databases, or give it a sysadmin role. Thanks!

[WingDog]

So yes, the problem is a lack of permissions for the user.
And the solution is to give DOMAIN\user permissions on SQL instance and add db_backupoperator role for all FULL and BULK databases, or give it a sysadmin role. Thanks!

Nikita,
There is no problem with SQL permissions because DOMAIN\USER is member of .\administrators and local logon right is totally away from SQL permissions.

[Shestakov]

Ok, let`s go back to your initial questions.

Account using for AAP must have local logon permisson.
why? where is local logon while VM backup?

To backup and truncate newer SQL versions(where nt authority\system doesn`t have backup operator`s permissions) for the authentication purposes Veeam need to personate its components as backup user to the VM.
That`s why you need to have local or sysadmin permissions. Thanks!

[WingDog]

Ok, let`s go back to your initial questions. To backup and truncate newer SQL versions(where nt authority\system doesn`t have backup operator`s permissions) for the authentication purposes Veeam need to personate its components as backup user to the VM.
That`s why you need to have local or sysadmin permissions. Thanks!

Nikita,
ok, I got it - you can't understand me.

another question:
by security purposes I must deny local logon for backup operators.
How to configure VBR to work with such limitations?

[PTide]

Hi,

Could you kindly try to logon with DOMAIN\user account into your SQL instance and perform log backup with truncation manually? I just what to make sure that DOMAIN/user has permissions.

Thank you.

[Shestakov]

Nikita,
ok, I got it - you can't understand me.

Kirill, you can write me a private message in a native language to achieve better understanding.

by security purposes I must deny local logon for backup operators.
How to configure VBR to work with such limitations?

Usually users set "Simple recovery mode" on SQL DBs and "Don`t truncate logs" in that case.
Thanks!