Discussions specific to the VMware vSphere hypervisor
Post Reply
KaptenP
Lurker
Posts: 2
Liked: never
Joined: Apr 28, 2022 2:03 pm
Full Name: Per Elander
Contact:

Backup account permissions in AD for new accounts

Post by KaptenP »

Hello

One of our customers wish to replace their existing active directory backup account to make the new accounts safer. I would like to verify if anyone uses the same settings and that the requested account settings will work fine.

There will be one backup account for the domain controllers with domain admin permissions and one account with admin rights for all other servers.
The customer wish to have the following settings enabled for both accounts:
"This account is sensitive and cannot be delegated" and that they both belongs to the global security group "Protected Users" in AD.

Will any of these settings cause issues for the new accounts we will create as the new backup accounts or work just fine?

Thanks in advance :)

Andreas Neufert
VP, Product Management
Posts: 5945
Liked: 1241 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Backup account permissions in AD for new accounts

Post by Andreas Neufert »

For the
"This account is sensitive and cannot be delegated"
If you use the Veeam account for guest processing and enable this, I think there is nor forwarding involved and it should work. Please test it.
If you use SQL/AD backups, test as well all needed restore methods as there might be delegated authentication used (Veeam to Mount Server to the original VM). Potentially you can workaround this if it is not working by using the B&R Server as mount server for this restore.

For Veeam own internal communication I think you need to double check but I this is not the case here as it would be bad practice to run the Veeam Infrastructure with the Admin account. Delegation is there used for example if you open the UI and we query our own SQL database.


Regarding "Protected Users" group.
I don´t think that the guest processing can perform it´s duty without it. Protected Users processing do not allow service execution. But our guest processing implements temporarly a service to interact with the VSS framework. As well I would try it in a POC and see how it goes.

Andreas Neufert
VP, Product Management
Posts: 5945
Liked: 1241 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Backup account permissions in AD for new accounts

Post by Andreas Neufert »

There is a Veeam Hardening Guide, maybe you find some alternatives there to increase security in your environment:
https://bp.veeam.com/vbr/Security/infra ... ening.html

KaptenP
Lurker
Posts: 2
Liked: never
Joined: Apr 28, 2022 2:03 pm
Full Name: Per Elander
Contact:

Re: Backup account permissions in AD for new accounts

Post by KaptenP »

Thank you for the answers! :)

Post Reply

Who is online

Users browsing this forum: c.evans, Daniel.K and 30 guests