Hello everybody,
in the section "guest OS credentials" (backup or replication job) I have selected the domain-admin-account which has per default access to any machine. Of course, this configuration works since a while.
I have now changed the admin-password, waited for the next pass of the backupjob, logged in (as a local admin) to a vm that has been backed up by veeam and dumped the lsass.exe process. After that I took a look at it using mimikatz (sekurlsa::minidump dump.dmp and sekurlsa::logonpasswords) and there I found the new password in plain text.
I know that there are solutions to prevent windows storing plain text pwd's in lsass.exe and prevent dumping the process but of course it would be better to not use the domain-admin-account for backup jobs. So the real question is: What is the best approach for using accounts for veeam purposes like stopping services via script, doing indexing, enable explorers for exchange, ad and so on? What is the minimum permission a account must have that the job will be successful? Is it better to use a local admin account or how should it be handled?
Thanks in advance!
-
mcz
- Veeam Legend
- Posts: 945
- Liked: 221 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
-
DGrinev
- Veteran
- Posts: 1943
- Liked: 247 times
- Joined: Dec 01, 2016 3:49 pm
- Full Name: Dmitry Grinev
- Location: St.Petersburg
- Contact:
Re: Best approach veeam backup & account permission
Hi Michael,
Detailed description of all required permissions for the different accounts described in the User Guide. Thanks!
The recommended way for stopping services via script described in the article called "Pre-Freeze and Post-Thaw Scripts".mcz wrote:What is the best approach for using accounts for veeam purposes like stopping services via script
Detailed description of all required permissions for the different accounts described in the User Guide. Thanks!
-
mcz
- Veeam Legend
- Posts: 945
- Liked: 221 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: Best approach veeam backup & account permission
Hi Dmitry,
thanks for the answer but I still couldn't get the information I needed. Basically I just wannted to know which local permissions the user needs to have for indexing and executing the scripts for starting and stopping services. So which usergroup do I have to choose for the user?
thanks for the answer but I still couldn't get the information I needed. Basically I just wannted to know which local permissions the user needs to have for indexing and executing the scripts for starting and stopping services. So which usergroup do I have to choose for the user?
-
DGrinev
- Veteran
- Posts: 1943
- Liked: 247 times
- Joined: Dec 01, 2016 3:49 pm
- Full Name: Dmitry Grinev
- Location: St.Petersburg
- Contact:
Re: Best approach veeam backup & account permission
Hi Michael,
The user should have local administrator permissions for indexing, managing services by using scripts or any other interactions with guest OS.
For the explorers of exchange, AD and so on, you can find required permissions in the UG.
Thanks!
The user should have local administrator permissions for indexing, managing services by using scripts or any other interactions with guest OS.
For the explorers of exchange, AD and so on, you can find required permissions in the UG.
Thanks!
Who is online
Users browsing this forum: Google [Bot] and 293 guests