Use multiple service accounts

[mbishop]

I'd like to know if it's possible to use different service accounts for different backup jobs if not using application aware processing or guest file indexing. I can create another account to use with Veeam but can't see how to assign it to the job.

I'm working toward backing up with a new service account that is not a member of the domain admins group but is instead a member of the local admins group on each server and want to do this to switch over gradually.

[Mildur]

Hi Mike

This service accounts are only used for application aware processing. Without AAIP or indexing, you don‘t need to assign any credentials.

With the button „credentials“ in the guest processing step, you can assign guest credentials per machine.



Thanks
Fabian

[mbishop]

Thanks Fabian.

From what I saw the Credential button is only available if one of the options on that page are enabled (selected). If no service accounts are being used how does Veeam authenticate to the server when not using the Veeam agent.

I just inherited the Veeam system where I work recently and was told that the active directory (AD) Veeam service account currently being used for authentication is a member of the domain admins group and that account is used for authentication. I've been tasked with finding a way to backup without the service account being in the domain admins group.

I've created a second AD account without domain admin access and have added it to the local administrators group on a server as a test but feel that it will use the account initially created that has domain admin access. I think I'm missing information or don't understand this as i thought I did.

Does Veeam use the one service account to connect to the vCenter server then access the servers? If so it would seem like the only way I can switch to a non-domain admin service account would be to add the non-domain admin service account to the local administrators group on each server then change the account used for Veeam to connect to the vCenter server (or stand up a new implementation of Veeam using the new account), is this correct?

Mike

[Mildur]

If we are talking about VM backups with Guest Application Aware Processing disabled, Veeam doesn't have to talk to the operating system inside the vVM. You disabled that process.
But our recommendation is to use Guest Processing when possible. You will loose a few features if not. Like Database log truncation or direct item level restore from the veeam console.

I just inherited the Veeam system where I work recently and was told that the active directory (AD) Veeam service account currently being used for authentication is a member of the domain admins group and that account is used for authentication. I've been tasked with finding a way to backup without the service account being in the domain admins group.

Veeam V12 will bring gMSA support. That could be an option to have more security with Veeam Backup & Replication. You don't require accounts with domain admin permission if you configure gMSA support after the V12 update.

Does Veeam use the one service account to connect to the vCenter server then access the servers?

Veeam uses the credentials you have configured on the add vmware wizard to communicate with the vcenter environment: https://helpcenter.veeam.com/docs/backu ... ml?ver=110
You can create a local user on your vCenter with the least permission required todo the backups and restores:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110