One of our customers wish to replace their existing active directory backup account to make the new accounts safer. I would like to verify if anyone uses the same settings and that the requested account settings will work fine.
There will be one backup account for the domain controllers with domain admin permissions and one account with admin rights for all other servers.
The customer wish to have the following settings enabled for both accounts:
"This account is sensitive and cannot be delegated" and that they both belongs to the global security group "Protected Users" in AD.
Will any of these settings cause issues for the new accounts we will create as the new backup accounts or work just fine?
For the
"This account is sensitive and cannot be delegated"
If you use the Veeam account for guest processing and enable this, I think there is nor forwarding involved and it should work. Please test it.
If you use SQL/AD backups, test as well all needed restore methods as there might be delegated authentication used (Veeam to Mount Server to the original VM). Potentially you can workaround this if it is not working by using the B&R Server as mount server for this restore.
For Veeam own internal communication I think you need to double check but I this is not the case here as it would be bad practice to run the Veeam Infrastructure with the Admin account. Delegation is there used for example if you open the UI and we query our own SQL database.
Regarding "Protected Users" group.
I don´t think that the guest processing can perform it´s duty without it. Protected Users processing do not allow service execution. But our guest processing implements temporarly a service to interact with the VSS framework. As well I would try it in a POC and see how it goes.
