Discussions specific to the VMware vSphere hypervisor
Post Reply
andreas2012
Veeam ProPartner
Posts: 58
Liked: 1 time
Joined: Jun 11, 2013 11:27 am
Full Name: Andreas
Contact:

Required Permissions

Post by andreas2012 » Sep 24, 2018 6:26 pm

Hi,

I have added our Veeam domain service account to "vSphere web client > Administration>Access Control>Roles>Administrator" is that enough when it comes to rights within VMware?
I guess I will be able to restore a virtual machine, but will I also be able to restore a file within the virtual machine (guest file restore) or do I have to add the Veeam service account to local administrator group on each VM?


Thanks for reply.

/R Andreas

Rick.Vanover
Veeam Software
Posts: 600
Liked: 127 times
Joined: Nov 30, 2010 3:19 pm
Full Name: Rick Vanover
Location: Columbus, Ohio USA
Contact:

Re: Required Permissions

Post by Rick.Vanover » Sep 24, 2018 6:54 pm

You may want to check this resource for the backups:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

For restores, you may want to explore the Restore Operator role - which has the users doing restores with zero permissions required on the B&R server, source system, vSphere environment and they cannot view the data: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

andreas2012
Veeam ProPartner
Posts: 58
Liked: 1 time
Joined: Jun 11, 2013 11:27 am
Full Name: Andreas
Contact:

Re: Required Permissions

Post by andreas2012 » Sep 24, 2018 7:34 pm

Hi,

Thanks for good links, I have checked them out and have additional questions.
To me it seems like a good idea to add a Veeam Service account to the local administrator group on every machine in the domain, so it should not be necessary to have the service account domain admin. But then I guess I will have problem backing up domain controllers as they do not have local administrators group ??
As I can see from the documentation "Veeam Explorer for Microsoft Active Directory" requires "Administrative rights for the target Active Directory" and if I understand that line correct that means Domain admin ?

What do you guys do ?
What is the general configuration out there ?

In my environment there are several domain controllers and 600+ VM`s and 200+ physical servers

/Regards
Andreas

bdufour
Expert
Posts: 198
Liked: 29 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Required Permissions

Post by bdufour » Sep 24, 2018 8:04 pm

you can add your service account to the administrators group within your domain to back up domain controllers. this is less privileged than your domain admins group.

also make this password 15+ to break old hashing algorithms like LM. 20+ wouldnt be a bad idea.

Rick.Vanover
Veeam Software
Posts: 600
Liked: 127 times
Joined: Nov 30, 2010 3:19 pm
Full Name: Rick Vanover
Location: Columbus, Ohio USA
Contact:

Re: Required Permissions

Post by Rick.Vanover » Sep 25, 2018 7:09 pm

Good suggestions @bdufour.

One suggestion is to have backup jobs explicitly for domain controller VMs or Physical Servers - and drop in explicit configuration/authentication as such.

I've seen some individuals actually chose the Veeam Agent for Windows to set an explicit account as such as well.

Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests