gMSA & App aware processing permissions on AD's

[veehexx]

We're in the final stages of killing off our old/classic service account (user + no password expiry) that we implimented from day1 when purchasing veeam. 10-12years old! I'm aiming to move all our service accounts to gMSA's where possible.

For Veeam, we're at the final 2 servers now - AD's.

Since there is no local 'administrators' group, whats the recommended practice to add the gMSA to the "local administrators" group that's required for the app-aware processing function of backup jobs? While i understand there are other aspects to gMSA setup that would stop unauthorised use, adding to the 'domain admins' group just feels the wrong way to go about it.

[Mildur]

Hi veehexx

Domain admin permissions are required on a Domain Controller. This is a limitation from Microsoft.
If you find another way, please let us know.
As a workaround consider to use a Veeam Agent and the "pre-installed agent - protection group" for doing backups of your Domain Controller.

Best,
Fabian

[doktornotor]

BUILTIN\Administrators should work.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

[Mildur]

With this group on a domain controller, the user still has full permission over the entire active directory domain.

https://learn.microsoft.com/en-us/windo ... nistrators

Best,
Fabian