while the veeam service account must have local admin permission - does it require local logon permission?

[edison5000]

My supervisor wants to block pc logon access for the veeam service account with a GPO - but let the veeam service account retain all other local admin privileges, so that the agents might still work. I would think the veeam service account would still need logon access to get at the admin shares, so I am dubious this would work.

We could just test this, but would prefer not to do it in production environment.

I realize it may sound weird, but they just want to harden as much as possible.

Case #———— , though this is not really break/fix.

Thanks : )

[Mildur]

Hi

I removed the #number, it‘s a contract number and not a case number. Case numbers are normally starting with #05.

The service account must have local admin permission if you want to create backups with application aware processing. And local admin permissions are also required to access the admin share.

As an alternative, you can use Veeam Agent for Windows with a protection group from type „Computers with pre-installed agents“ if you don‘t want to use any credentials inside Veeam. If you only have agent backups in your environment, this could be a solution.
Or use them only critical systems from a security point of view.

Thanks
Fabian

[edison5000]

Sorry about that, here is case # I believe - #05531030

Yes, local admin permissions are required to access the admin share, which I presume includes 'local logon'. This is why I asked; my supervisor believes that one should be able to exclude those two behaviors with policy, but I do not believe this is possible. (You can probably stop local logons, but I think that will also prevent logging onto the admin share).


I do appreciate the idea of trying to use only the preinstalled agents, thank you. But if I understand them correctly, the problem with 'computers with preinstalled agents' is that organization is more difficult than with agents pushed from Veeam itself; yes, you can put different preinstalled agents into different protection groups, but

a) those preinstalled agent protection groups can't mix with server-side pushed protection agent groups - and we've already deployed hundreds from the Veeam server itself.

b) I'm pretty sure that to separate the preinstalled agents into separate preinstalled agent protection groups, we would need a preinstalled agent package for each preinstalled agent-type protection group. Then we would have to use something like SCCM to push 'preinstalled agents for protection group A' as one package, and 'preinstalled agents for protection group B' as another. Otherwise they'll all be in the same 'computers with preinstalled agents' protection group. Seeing as how we've already got a bunch of protection groups pushed from the veeam server itself, this would easily double all of them.

c) even if we did replace all the server-pushed agents entirely with preinstalled agents, I'm pretty sure they'd all need a brand new full run again. Plus the users would not be able to see their previous backup chains for restores.

[dejan.ilic]

On VeeamOn they announced support for Windows GMSA accounts in Veeam B&R v12 which might solve the problem.