VBR Console users and roles and job notifications


Userlevel 7
Badge +17

At the last days I had an issue with job notifications not sent from the VBR Console after modifying the users and roles within the console.

One of my clients demanded that the access to the VBR console has to be restricted to some explicitly defined backup Admins and no one else.

So, I removed the local Administrators group from the list in the users and roles and added the personalized accounts of the backup admins.

Fine, the backup admins can start the console and work with it, and all other accounts have no access…

The next morning the admins told me that no job notifications were sent in the night. :scream:

My first thought was that the colleagues responsible for the mail server and/or the firewalls had done some changes and now the backup server cannot reach the mail server. But after checking with them no changes were done and there were no dropped mails at the mail server. So, it seems that the VEEAM server did not send anything at all…

I saw then that some mail from PowerShell scripts were sent in the night. Strange… :thinking:
I tried to send the test mail from the VBR console, and this worked, too. Even stranger… :thinking::thinking:

After some internet searching, I found that the local system account must have VEEAM Backup Admin rights for the notifications to work. OK… but how to add it to the users and roles? I don’t want to use the local Administrators group, so I have to add it explicitly to the list.

After trying quite some combinations and names – all resulting with “Invalid user name” – I finally got to an solution. :grin:

It is named “NT Authority\SYSTEM”

Windows or VEEAM translates it into your local language after adding, so the list looks something looks this at the end.

After this the notifications are sent again, and my access problem is solved.

I don’t know if this is a topic for you or if there is a simpler solution for it. But I found nothing in the documentation about this, there are some hints for the local system account only, but no example how to add it.

Please let me know if I missed something or if I am completely wrong with this. :sunglasses:

 

Edit:
I see this applies up to V10 only.
In V11 no admin rights are necessary for the console and no local system account is needed in the VEEAM Backup Admin role.
Perhaps this helps some people still using V10 or older… :sunglasses:


4 comments

Userlevel 7
Badge +13

Joe, thanks for sharing! Very hot topic, when you want to harden your VBR as much as possible!

Userlevel 7
Badge +17

Interesting behavior; I wouldn't have suspected the local system account in this case. Thanks for sharing 👍


Hello @regnor ,
it is the local system account.
But you have to wirte SYSTEM instead of NT Authority\SYSTEM.

After the account is set the system translates it to NT Authority\SYSTEM… Sorry, I got the picture in german language only. But I think the important parts are clear.

 

Userlevel 7
Badge +13

Interesting behavior; I wouldn't have suspected the local system account in this case. Thanks for sharing 👍

Userlevel 7
Badge +17

One addition - no VEEAM Problem but an action to remember in conjunction wirh the removal of the local administrators group from the users & roles list in VEEAM:

Double check the user your scripts are running with in the task planner.
You can use the local system account for this, too. In the task planner the name to use is SYSTEM.

Comment