Backup failing due to UAC?

Availability for the Always-On Enterprise

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Thu Aug 23, 2012 6:30 pm

That is very interesting and something that I was completely unaware of. Now the next set of questions:

1.) Is there a way to grant my new admin account the same rights and permissions that the -500 admin account has?
2.) What if the -500 admin account was deleted? Is there a way to recreate it? (this isn't so much for the VBR issue, but for general information)
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby tsightler » Thu Aug 23, 2012 7:10 pm 1 person likes this post

brupnick wrote:1.) Is there a way to grant my new admin account the same rights and permissions that the -500 admin account has?


You can turn off UAC. That's pretty much the difference. The "default" accounts are hard coded by security policy to be immune to UAC. If you open up your Security Policy Editor and go to Local Policy...Security Options you will find a policy as follows:

User Account Control: Admin approval mode for the Built-In Adminstrator account: Disabled


So basically this is saying that built-in administrator accounts are exempt from UAC since they don't require admin approval mode. If you set this policy to "Enabled" then even the built-in accounts will be subject to UAC.

The Raiders of the Elevated Token is a good video for anyone interested in details of UAC and token elevation.

I don't know if you can easily recreate the "default" account, but I'm sure it could be done somehow.
tsightler
Veeam Software
 
Posts: 4633
Liked: 1676 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Thu Aug 23, 2012 7:16 pm

This might be a silly question, but is there a difference between built-in accounts (say those that are created when Windows is installed) and accounts that are members of the BUILTIN\Administrators group? I believe the answer to this is "yes," but I want to make sure. The new local admin account that we created is an exact match as far as memberships to the built-in administrator account, but we're still having these UAC issues.
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby tsightler » Thu Aug 23, 2012 7:27 pm 1 person likes this post

Yes, that's exactly what this thread has been talking about. The "default" accounts that are created during install are the "built-in" accounts with the known UIDs that end in -500. These are the only accounts that are exempt from UAC by default. Unfortunately Microsoft doesn't provide any method for having a "special" account that is not subject to UAC but also isn't "well known".
tsightler
Veeam Software
 
Posts: 4633
Liked: 1676 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing due to UAC?

Veeam Logoby dellock6 » Thu Aug 23, 2012 9:14 pm

To sum it: "If you are not well known, I'm not going to trust you" :)
I usually disable UAC at the end, system security is not meant to be the OS asking everywhere for authorization to do something, it's better to work on permissions and policies. Disabling the default admininistrator and rename it is a well established and good practice. I would keep this and disable UAC instead.

Luca.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4787
Liked: 1247 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: Backup failing due to UAC?

Veeam Logoby brupnick » Fri Aug 24, 2012 2:57 pm

Thank you everyone for all of your assistance. I enabled the default administrator account (we had disabled it when we created a new account) and used it in my VBR jobs last night. The two 2008 R2 DCs that I was having issues with were processed as expected. I'm going to work with the rest of my team to change our accounts so that our default domain admin account is the one with the SID ending in -500. I'm also going to discuss this with our Security group to get their thoughts on disabling UAC in certain situations given this new information.

Thank you again,
Brian
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: Backup failing due to UAC?

Veeam Logoby vmnewbie1 » Tue Aug 28, 2012 7:22 pm

My B&R v6 jobs have been using the DOMAIN\administrator account without issue for the past several months. Over the past two weeks, however, several of my 2008R2 VM backups have started failing 100% of the time with Win32 error Code 53. The only changes we've made were to install the latest round of MS OS updates. What's the likelihood that MS has tightened up UAC even more? Backups work fine once UAC is turned off, but I'd prefer to use my -500 built-in domain admin account, especially since it used to work...
vmnewbie1
Lurker
 
Posts: 2
Liked: never
Joined: Wed Dec 21, 2011 8:01 pm
Location: Atlanta, GA, USA
Full Name: Jeff Hamilton

Failed to prepare guest for hot backup" because lostconnect

Veeam Logoby Andreas Neufert » Tue Sep 04, 2012 7:15 am

Hi just FYI

One of my customers changed some network firewalling things which end up in the following error:
Code: Select all
Failed to prepare guest for hot backup. Details: Failed to connect to guest agent. Errors:
'Cannot connect to the host's administrative share. Host:  [IP]. Account: [account].
Win32 error:The network path was not found.
Code: 53

Solution:
He opened the port 902 between Veeam Backup & Replication Server and ESX Hosts.
Andreas Neufert
Veeam Software
 
Posts: 2081
Liked: 333 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

[MERGED] Minimum rights required for backup account

Veeam Logoby b.vanhaastrecht » Thu Oct 10, 2013 8:23 am

We are having an issue with a delegated service account for doing the guest index and application aware backups. This account is member of Domain Admins and Builtin\Administrators. When we run the backup job we get an error backup regaring the RPC/Admin$ share isn't accessable. While when we configure the same job with the Domain Administrator account, the job is succesfull. We have rebooted the server to backup, which is a Windows 2012 Server.

Are the permissions set to the service account not enough or could there be an other issue?

Errors when using the service account:
Code: Select all
10-10-2013 10:10:27 :: Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors:
'Cannot connect to the host's administrative share. Host:  [10.20.35.16]. Account: [].
Win32 error:The network path was not found.
 Code: 53
Cannot connect to the host's administrative share. Host:  [fe80::3013:8eae:8524:8304]. Account: [].
Win32 error:The network path was not found.
 Code: 53

(@Veeam Support: Please note that we are using vCloud level backup, our Veeam backup server has NO network connectivity to the vDC we are trying to backup (usual setup when using vCloud in provider setup). The job first tries to contact the VM via RPC, if that fails the VMware API is used to get to the guest files. The error message above indicates the network is used, but it's actualy doing a fallback to the VMware API, which in this case also failes with a rights issue. The whole VMware API part is not logged in the GUI, this step should be better logged in the GUI.)
========================================
Veeam ProPartner and Cloud Connect Provider
b.vanhaastrecht
Service Provider
 
Posts: 315
Liked: 62 times
Joined: Mon Aug 26, 2013 7:46 am
Location: The Netherlands
Full Name: Bastiaan van Haastrecht

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Thu Oct 10, 2013 8:46 am

Hello Bastiaan,

Most likely the account you're using cannot be used to perform VSS freeze operations. You need to either use administrator account (domain, or local machine), or disable UAC to make it work.

Thank you!
Vitaliy S.
Product Manager
 
Posts: 18986
Liked: 1046 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby b.vanhaastrecht » Thu Oct 10, 2013 9:10 am

Hi Vitaliy, I've read all pre posts in this thread. Never thought UAC could be the issue. I'm also concerned about the suggested solutions: Disable UAC, or use the builtin administrator account. We are an vCloud service provider, we can't ask for the administrator account of the customers, they just simply wont give it to us. (We need guest indexing because we use the Enterprise Manager to give customers a portal to do their own file restores.) Asking them to disable UAC if an alternative service account is to be used would rase security concerns. There has got to be a MS valid way to assign an account with the appropiate (UAC) rights to do the task nescacary for the guest indexing and application aware backup. Otherwise, Veeams approuch of doing this should be reconsiderd.

Please note my part about the GUI log lacking proper logging about the use of VMware API.
========================================
Veeam ProPartner and Cloud Connect Provider
b.vanhaastrecht
Service Provider
 
Posts: 315
Liked: 62 times
Joined: Mon Aug 26, 2013 7:46 am
Location: The Netherlands
Full Name: Bastiaan van Haastrecht

Re: Backup failing due to UAC?

Veeam Logoby Vitaliy S. » Thu Oct 10, 2013 9:24 am

Yes, I know about the GUI part. In your case there is a failover while accessing VM via VMware Tools (VIX API), but the fact the local admin works and other accounts that belong to local admin group don't, points that built-in administrator is the only way to use indexing option. BTW, did you open a support case with our team to verify the exact reason for the job failure? This info can be found in the job debug logs.
Vitaliy S.
Product Manager
 
Posts: 18986
Liked: 1046 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Backup failing due to UAC?

Veeam Logoby b.vanhaastrecht » Thu Oct 10, 2013 10:00 am

Vitaliy S. wrote:Yes, I know about the GUI part. In your case there is a failover while accessing VM via VMware Tools (VIX API), but the fact the local admin works and other accounts that belong to local admin group don't, points that built-in administrator is the only way to use indexing option. BTW, did you open a support case with our team to verify the exact reason for the job failure? This info can be found in the job debug logs.

Ok thanks. I hope Veeam see's the security challenge issue with guest indexing in an vCloud setup. I did not open a support case on this matter. I've done some further testing, and I can confirm it's because of UAC/rights. I'm going to fiddle around in this issue, to see if I can find a way to use a seperate service account with UAC enabled.
========================================
Veeam ProPartner and Cloud Connect Provider
b.vanhaastrecht
Service Provider
 
Posts: 315
Liked: 62 times
Joined: Mon Aug 26, 2013 7:46 am
Location: The Netherlands
Full Name: Bastiaan van Haastrecht

Re: Backup failing due to UAC?

Veeam Logoby masonit » Thu Sep 11, 2014 8:02 am

Hi!

Maybe I have missunderstood this. But the requirement of using builtin administrator account when UAC is enabled. Does this only apply when using VIX? Or does it also apply when accessing over the network?

\Masonit
masonit
Service Provider
 
Posts: 137
Liked: 10 times
Joined: Tue Oct 09, 2012 2:30 pm
Full Name: Magnus Andersson

Re: Backup failing due to UAC?

Veeam Logoby foggy » Thu Sep 11, 2014 8:34 am

Yes, this is VIX-specific requirement. UAC is not enforced on network connections.
foggy
Veeam Software
 
Posts: 13899
Liked: 1012 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

PreviousNext

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: borismittelmann, MSNbot Media and 10 guests