Hey everyone,
I'd like to propose a feature request/change request.
It should be possible to add backup infrastructure components using a dedicated user account on the target system without needing to disable UAC. While the built-in administrator account works seamlessly due to its exception status, dedicated accounts with sufficient permissions fail unless UAC is disabled via the LocalAccountTokenFilterPolicy registry entry. This limitation arises because administrative shares remain inaccessible for such accounts, preventing VBR from pushing software to the system.
I prefer using dedicated accounts, as they are independent of the built-in administrator account, whose password should rotate regularly. In many cases, administrators forget that the password is linked to VBR, leading to failed backup jobs. Moreover, disabling essential security features to accommodate this setup is not an ideal solution.
Has anyone found a workaround, or would this be a viable feature enhancement for VBR?
Thanks,
Chris
-
chrisflyckelen
- Service Provider
- Posts: 73
- Liked: 8 times
- Joined: Oct 15, 2019 7:51 am
- Contact:
-
tommy.oshea
- Service Provider
- Posts: 14
- Liked: 1 time
- Joined: Dec 01, 2021 1:52 pm
- Full Name: Tommy O'Shea
- Contact:
Re: [FR] Use of dedicated accounts without disabling UAC on the target system
I've never had to disable UAC to add servers as backup infrastructure. The only requirement is that the user you use must be a member of the Local Administrators group. The group member can either be a local user or a domain user.
Use the MACHINE\USER format for local accounts or DOMAIN\USER format for domain accounts.
See this page for reference: https://helpcenter.veeam.com/docs/backu ... 120#rphost
Use the MACHINE\USER format for local accounts or DOMAIN\USER format for domain accounts.
See this page for reference: https://helpcenter.veeam.com/docs/backu ... 120#rphost
Tommy O’Shea, VMCE, VMCE-SP, VMCA
-
Andreas Neufert
- VP, Product Management
- Posts: 7233
- Liked: 1551 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: [FR] Use of dedicated accounts without disabling UAC on the target system
I think in many cases the username format usage is key here as Tommy stated.
-
chrisflyckelen
- Service Provider
- Posts: 73
- Liked: 8 times
- Joined: Oct 15, 2019 7:51 am
- Contact:
Re: [FR] Use of dedicated accounts without disabling UAC on the target system
Hey everyone,
that's not correct.
Let's imagine that you have a fresh install of an Windows server, which should be added as a managed server to VBR. Using the built-in administrator in the HOSTNAME\USER format, everything works fine without any changes to the target system.
If you use a dedicated user added the local administrators group to add this server you get an error message that ADMIN$ isn't available. After adding the reg key LocalAccountTokenFilterPolicy = 1 it also works with the dedicated user.
But this disables the UAC completely which is a security concern in my eyes.
Greetings,
Chris
that's not correct.
Let's imagine that you have a fresh install of an Windows server, which should be added as a managed server to VBR. Using the built-in administrator in the HOSTNAME\USER format, everything works fine without any changes to the target system.
If you use a dedicated user added the local administrators group to add this server you get an error message that ADMIN$ isn't available. After adding the reg key LocalAccountTokenFilterPolicy = 1 it also works with the dedicated user.
But this disables the UAC completely which is a security concern in my eyes.
Greetings,
Chris
Who is online
Users browsing this forum: Bing [Bot] and 35 guests