VIX Guest interaction - permissions?

[mma]

Hello Veeam

Our physical Veeam B&R Server (which is also proxy and guest interaction proxy) is in an private VLAN. Guest interaction over RPC is not possible, so we have to use VIX.
As we need to have UAC enabled, we have to use domain\administrator for the guest interaction. Not a big problem, but we have to harden our domain admin accounts.
Guest interaction proxies are no solution as we have dozens of guest VM VLANs. Additionally any communication between backup VLAN and guest VLANs is a no go.

There is a nice little guide from Microsoft “Securing Built-In Administrator Accounts on Active Directory”
https://technet.microsoft.com/en-us/win ... 2147217396

We set the following options for domain\administrator:

• Account is sensitive and cannot be delegated
  
  GPO "Security - domain\administrator hardening"
  Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies
  Deny log on through Remote Desktop Services
  Deny log on as a service
  Deny log on as a batch job
  Deny access to this computer from the network

The result is a secure administrator account, but no more guest interaction….
Is there a list of minimum permissions for VIX guest interaction?

Thanks
Marcel

[foggy]

Hi Marcel, I don't think we have such a granular permissions list. Have you tried backing up using such somewhat restricted administrator account or just curious whether it should work?

[mma]

Hi foggy

Guest interaction is no longer possible with those setting.
Will do some try and error and let you know.

Regards
Marcel

[foggy]

Thanks, will appreciate sharing your findings.

[mma]

So, the show stopper is the "Deny access to this computer from the network" option.
The other settings have no influence on guest interaction.

Regards
Marcel