Deny Access for Domain Admin

Availability for the Always-On Enterprise

Deny Access for Domain Admin

Veeam Logoby vota » Wed Oct 19, 2016 8:57 am

Is it possible to deny access to B&R-Console for the Domain Admin(Domain\Administrator)?

I tried to remove the Domain Admins Group from the Local Administrator Group and also assigning the Viewer Role the domain\adminstrator but the user still have full access to the hole Configuration.

Thanks!
vota
Novice
 
Posts: 7
Liked: 1 time
Joined: Mon Nov 21, 2011 2:58 pm
Full Name: Stefan Vater

Re: Deny Access for Domain Admin

Veeam Logoby PTide » Wed Oct 19, 2016 10:03 am

Hi,

Have you tried to assign Veeam Backup Administrator role to the local admin (HOSTNAME\Administrator) and delete all other accounts that are related to the domain admin?

Thanks
PTide
Veeam Software
 
Posts: 3246
Liked: 272 times
Joined: Tue May 19, 2015 1:46 pm

Re: Deny Access for Domain Admin

Veeam Logoby vota » Wed Oct 19, 2016 12:08 pm

Yep - even if i delete everything else like in the screenshot below, the administrator is still able to logon with full accessrights:
Image
vota
Novice
 
Posts: 7
Liked: 1 time
Joined: Mon Nov 21, 2011 2:58 pm
Full Name: Stefan Vater

Re: Deny Access for Domain Admin

Veeam Logoby foggy » Wed Oct 19, 2016 12:21 pm

Hi Stefan, how do you tell that the account has full access?
foggy
Veeam Software
 
Posts: 15294
Liked: 1133 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Deny Access for Domain Admin

Veeam Logoby vota » Thu Oct 20, 2016 1:07 pm

When I logon to B&R Console I can edit everything :)
vota
Novice
 
Posts: 7
Liked: 1 time
Joined: Mon Nov 21, 2011 2:58 pm
Full Name: Stefan Vater

Re: Deny Access for Domain Admin

Veeam Logoby foggy » Thu Oct 20, 2016 3:39 pm

Well, looks like there's no ability to do what you're after. Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access, even if excluded from all Veeam B&R roles. This is done as a workaround for situations when all accounts are removed from the Veeam Backup Administrators role for some awkward reason.
foggy
Veeam Software
 
Posts: 15294
Liked: 1133 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Deny Access for Domain Admin

Veeam Logoby larry » Fri Oct 21, 2016 3:40 pm 1 person likes this post

Remove the domain admins from the server local admin group, be careful you have a server account to use to add back if needed.
larry
Expert
 
Posts: 383
Liked: 90 times
Joined: Wed Mar 24, 2010 5:47 pm
Full Name: Larry Walker

Re: Deny Access for Domain Admin

Veeam Logoby vota » Thu Oct 27, 2016 9:25 am

larry wrote:Remove the domain admins from the server local admin group, be careful you have a server account to use to add back if needed.

As mentioned in my first post i already tried this - without success...

foggy wrote:Well, looks like there's no ability to do what you're after. Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access, even if excluded from all Veeam B&R roles. This is done as a workaround for situations when all accounts are removed from the Veeam Backup Administrators role for some awkward reason.

will there be a possibility in the future(e.g. 9.5)?
vota
Novice
 
Posts: 7
Liked: 1 time
Joined: Mon Nov 21, 2011 2:58 pm
Full Name: Stefan Vater

Re: Deny Access for Domain Admin

Veeam Logoby foggy » Thu Oct 27, 2016 9:50 am

I don't think so, since this is a precaution measure.
foggy
Veeam Software
 
Posts: 15294
Liked: 1133 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Deny Access for Domain Admin

Veeam Logoby nmdange » Thu Oct 27, 2016 9:16 pm

Are you testing with the default Active Directory Administrator account (i.e. the account named "Administrator") or a new account that is in the Domain Admins group? I suspect the built-in Administrator account is different from a new account that is only in the Domain Admins group. As a security best practice, you should not be using the default Administrator account with Active Directory. You should create a separate domain admin account for each employee that needs domain admin privs and then reset the default Administrator account's password to something extremely long and complicated and never use the account again.
nmdange
Expert
 
Posts: 233
Liked: 60 times
Joined: Thu Aug 20, 2015 9:30 pm

Re: Deny Access for Domain Admin

Veeam Logoby Mike Resseler » Fri Oct 28, 2016 5:33 am

I have to agree with nmdange. If you want something like this, you can't use internally the administrator account (the one that is actually named administrator). That account is always going to have rights on all domain servers (you would be able to override that with a deny through a GPO but if you do... Be very careful, I have been called in an environment where the ONLY administrator was denied access to ALL servers in the environment...)

When you are indeed working with a separate account, you can deny those specific domain admins access to a server and also deny access to B&R. But again, you will need to look at the GPO because probably there is a rule in your environment that automatically adds the domain admins to the local administrator group
Mike Resseler
Veeam Software
 
Posts: 3382
Liked: 384 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google Feedfetcher, swormser, Yahoo [Bot] and 1 guest