poulpreben.com

Local service account for Veeam components

As part of infrastructure hardening, I try to always exclude backup repositories from the domain, and only utilize local service accounts for interaction with services.

During installation of Veeam Deployment Service, the binaries are pushed through the ADMIN$ share on the target machine. This share cannot be accessed with a local administrator account by default, due to Remote UAC being enabled. This means the installation will fail, unless you use the real Administrator (SID 500) account.

When adding the Windows server to infrastructure, you will receive the following error message:

1
2
3
4
[my.repository.fqdn] Failed to install deployment service.
The Network path was not found
–tr: Failed to create persistent connection to ADMIN$ shared folder on host [my.repository.fqdn].
–tr: Failed to install service [VeeamDeploymentService] was not installed on the host [my.repository.fqdn].

Resolution

Create the following registry key:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Key: LocalAccountTokenFilterPolicy
  • Type: DWORD
  • Value: 1

Now you should be able to add the Windows server, using a custom local service account. Reboot was not required on my Windows Server 2016 server.