Veeam Indexing acount

[chrisBrindley]

Quick backstory, Get comfy.
I work for a hosting company and we have contract signed by audit companies that we limit any admin accounts on our customer servers, what we have done is write a custom script that adds an admin account and randomizes the password every 12 hours on every vm, so if we need access we goto a portal page and request an account and password that only has a short life. all our customer servers are in their own vlans and domains, so a uniques domain service account is not an option, plus having an admin account on all our customer servers with the same password is a major violation of our contract

A big reason to go to Veeam is the capabilities of a customer facing portal that will allow them to do their own restores, i was really excited until i learned that to index a file system for file restores through enterprise manager requires an account on every VM, this account needs local admin rights so it can access the admin$ share and then install a temporary service , because our account is unique to every VM it would be a nightmare to go into the jobs and add customer passwords for every VM, and we are getting close to a 1000 of them, plus the passwords change every 12 hours so this option in a no go.

So i have been working my way through the issues to see if its possible to add a service account and give it backup operator rights, i have modified the registry to allow non administrative accounts access to this share, this is not really a security risk to us as every customer has isolated VLANs and cisco and fortigate VPNS between them.

The job now fails on SCM access, error 5 win32, this is because the account needs access to query and install the service. I followed a Microsoft work around that allows a non administrative account access to SCM, but i do not know what the install package is doing, this is a quote from a workaround

You’ll need to run specific 'sc sdset' commands against particular services, or use subinacl to change all services with one command.

This is a major deal for us and this could end Veeam at our company, as EMC Avamar have told us they do not have this issue.

So questions are,
1: why does enterprise management console make it possible to browse through the files without an account on the servers, I know you need one to do the in place restore, but at least we can look at the files. in the Veeam portal file restores do not show up at all

2:In the future is it possible just to install this temporary Veeam agent permanently on the servers

3:As anyone seen this issue and figured out a work around

[Dima P.]

Hello Chris,

From the top of my head I would try to extend the backup operators group service account permissions to the Full Access on all service actions - and check if that works. Here is the example for Windows 2003

Could you please share Microsoft workaround for SCM access you found? Thank you.

[veremin]

I’m also wondering whether the password portal can be reached via the PowerShell or whatsoever. If so, it might be possible to create a PS script, that will request a valid password from the said portal, then, update the VM indexing settings in accordance with it, and, finally, start given backup jobs.

Thanks.

[chrisBrindley]

i have been looking through the process and i have figured out that once the job starts running it connects to the Admin$ share and creates a directory called Veeamvsssupport, in this directory is the executable for the temporary service, the service then gets installed by configuration files in this directory and started.
once indexing is finished the service is stopped deleted and then the directory is removed.

So all i need is to have this directory permanently there and the service installed permanently, that way the account added to the job really only needs rights to read from the index directory in the folder above.

Anyone from Veeam willing to help

[Vitaliy S.]

Chris, not sure there is a way to have this service installed on permanent basis, but there were a couple of similar requests before.