Least amount of svc acct privileges for backing up Win VM ?

[albertwt]

Hi All,

Due to PCI compliance reason, I'm no longer able to use DOMAIN\Administrator as the Veeam service account for Application aware backup.

Since I have about 150+ windows VM spread accross 34 backup job, what's the best practice to successfully backup all of those VMs with the new service account ?

Case # 01799483

[Vitaliy S.]

Hi Albert,

In order to use application-aware image processing (leverage VSS), local admin account is a must. If you cannot use it anymore, then you can try switching to VMware Tools Quiescence and write pre-freeze/post-thaw scripts for every application to have an application consistent backups.

Thanks!

[albertwt]

Vitaliy,

I get this error message when I'm trying to backup the Vm using the local administrator password on the VMs:

Unable to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to logon user [localhost\Administrator] Win32 error:Logon failure: unknown user name or bad password. Code: 1326

[alanbolte]

Did you specify "localhost\Administrator" as the guest processing account? That will not work consistently. Try just "Administrator" (if all the local administrator passwords are the same), or specifying separate hostname\Administrator credentials for each VM.

That said, I think there's some confusion here. First there's the question of whether or not you need to use the named Administrator account. So far I've mostly seen this to be true with guests not accessible over the network (due to VIX limitations), and even then there seem to be exceptions. When connecting over the network, I have generally found it to be unnecessary; there seem to be some variations depending on particular GPOs, OS version, and whether or not the VM is part of a domain.

You do need to use an account with local administrator privileges. That doesn't mean the account has to be local, it can be domain, just so long as it has the rights of a local administrator (typically by adding it to the local Administrators group).

There are also permissions requirements for each supported application (MS SQL, Oracle, etc), but you can find those in the user guides.

[albertwt]

Alan,

Yes, that does make sense. sorry for the confusion. It was using DOMAIN\Administrator account, I tried to use the local administrator account that is already avaialble in all VMs but then it failed as I posted above.

I've added the dedicated service account DOMAIN\SVC-VBR to the local administrators group, now it works as normal.

So I guess i must manually login and add this DOMAIN\SVC-VBR account to all VMs manually.

[alanbolte]

150+ VMs? Sounds like a job for Powershell. I bet you can find a script on Technet or something.

[albertwt]

yeah, that's the thing
At least I know exactly that it must be in the Local Administrator group for each of the VMs not even the Backup Operator group can make it work

[alanbolte]

That's because you're installing and deleting services, among other things. Backup Operators are merely able to create shadow copies and do file-level backups.