in the section "guest OS credentials" (backup or replication job) I have selected the domain-admin-account which has per default access to any machine. Of course, this configuration works since a while.
I have now changed the admin-password, waited for the next pass of the backupjob, logged in (as a local admin) to a vm that has been backed up by veeam and dumped the lsass.exe process. After that I took a look at it using mimikatz (sekurlsa::minidump dump.dmp and sekurlsa::logonpasswords) and there I found the new password in plain text.
I know that there are solutions to prevent windows storing plain text pwd's in lsass.exe and prevent dumping the process but of course it would be better to not use the domain-admin-account for backup jobs. So the real question is: What is the best approach for using accounts for veeam purposes like stopping services via script, doing indexing, enable explorers for exchange, ad and so on? What is the minimum permission a account must have that the job will be successful? Is it better to use a local admin account or how should it be handled?
Thanks in advance!