Host-based backup of VMware vSphere VMs.
Post Reply
chjones
Expert
Posts: 117
Liked: 31 times
Joined: Oct 30, 2012 7:53 pm
Full Name: Chris Jones
Contact:

Application Aware via VIX with UAC + Microsoft LAPS

Post by chjones »

Hi all,

We use Application Aware Processing wherever possible. We have many networks that are firewalled and rely on VIX integration to perform this for us. We are required to adhere to Defence Security Guidelines with regard to locking down our Windows Servers. Part of this requires us to enable UAC on all servers and to also regularly change the local administrator account password.

In the past this wasn't a big issue as we could use Group Policy to change the password for the administrator account on all servers and then update the account in the Veeam Console and it would take affect on all jobs.

Microsoft have since disabled the ability to control user account passwords via Group Policy as there was a security flaw with the method. They have since released the Local Administrator Password Solution, LAPS. This has a plugin on every server that is instructed by a GPO to change the password for the local administrator account to a randomly generated value after a certain number of days. The new password is then written a new attribute on the server's computer object in Active Directory, which is only viewable to Domain Admins. Every server has a different password. This solution works really well, however, it causes issues with VIX Integration for AAIP as every server has a different administrator password.

Just wondering if anyone has any solutions they've come up with for this?

The simplest solution I can think of is to not use LAPS and use powershell scripts to change the password on every server to the same one every x number of days and then we continue to manually update Veeam. Is this the only option?

Thanks.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Dima P. »

Hi Chris,

I might be wrong but PowerShell is the only way to automate the password reset for guest processing in conjunction with LAPS. It should be possible to get a password for every client computer you want to backup (google gave me this example, end of the blog post) and then set password via PS to guest processing options in the job.
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by foggy »

Hi Chris, not sure whether it is applicable in your environment, but take a look at the guest interaction proxies, they would allow to get rid of using built-in administrator account for application-aware processing.
chjones
Expert
Posts: 117
Liked: 31 times
Joined: Oct 30, 2012 7:53 pm
Full Name: Chris Jones
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by chjones »

Thanks for the responses.

Wouldn't specifying guest interaction proxies still have the same limitations caused by UAC being enabled? Or are you saying if we ensure the interaction proxy has network access to the Virtual Machine, then it doesnt have to use VIX and therefore won't have the UAC issues?
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Mike Resseler »

Chris,

Correct, that is indeed what foggy is saying.
Seb.pythoud
Service Provider
Posts: 13
Liked: never
Joined: Dec 19, 2017 7:48 pm
Full Name: S.Pythoud
Location: Switzerland
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Seb.pythoud »

foggy wrote: Jan 03, 2017 3:10 pm Hi Chris, not sure whether it is applicable in your environment, but take a look at the guest interaction proxies, they would allow to get rid of using built-in administrator account for application-aware processing.
Hi,
i'm not sure to really understand : you are saying that using guest interaction proxy within the same network as vm to be backed up would allow to keep UAC enable AND avoid the usage of built-in administrator ?
This KB is telling the other way (see more information, at the bottom) :

https://www.veeam.com/kb1788

Thx.
Seb
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Andreas Neufert »

No the idea is to place the guest interaction proxies in the VM networks and then use the network based processing instead of VIX. Then you could avoid to disable VIX or usage of the Administrator (written like that) account.
Seb.pythoud
Service Provider
Posts: 13
Liked: never
Joined: Dec 19, 2017 7:48 pm
Full Name: S.Pythoud
Location: Switzerland
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Seb.pythoud »

The kb, is clearly saying that with UAC enabled, you'll need to use built-in administrator account (SID-500), whether the GIP is in the same network or not. Is this correct ?
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by foggy »

Disabling UAC or using built-in account is a VIX-specific requirement. Probably KB needs clarification.
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by Andreas Neufert »

This one should explain all the current options:
https://www.veeambp.com/job_configurati ... ng-options
skrause
Veteran
Posts: 487
Liked: 105 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Application Aware via VIX with UAC + Microsoft LAPS

Post by skrause »

I can confirm that using Interaction proxies with network access to the machines (need SMB and RPC ports open on Windows firewall) works with an AD account on machines with UAC enabled.

We had intermittent issues with VIX even before we turned UAC on for all our servers and this solved both problems.
Steve Krause
Veeam Certified Architect
Post Reply

Who is online

Users browsing this forum: jsvr, Semrush [Bot] and 78 guests