Operational Defect Database
BugZero found this defect 1062 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb4185
"Access is Denied." When Using a Local Account to Add a Windows Machine to Veeam Backup & Replication
Last update date:
6/22/2022
Affected products:
Veeam Backup & Replication
Veeam Agent for Microsoft Windows
Affected releases:
ALL
Fixed releases:
No fixed releases provided.
Description:
Challenge
While attempting to perform one of the following actions the error "Access is Denied." occurs: When attempting to add a Windows server to Veeam Backup & Replication using a Local Administrator account.
Cause
When a Windows Server is added as a Managed Server or added to a Protection Group, Veeam Backup & Replication checks if the Veeam Installer Service (VeeamDeploySvc) is present on the server. If the service is not accessible Veeam Backup & Replication will attempt to connect to the machine via the admin$ share to deploy the service. Example: \\localhost\admin$ The "Access is Denied" error occurs because the user account specified is a local account, and UAC restricts remote access for local accounts.
Solution
For Veeam Backup & Replication to add a remote Windows machine as a managed server or as part of a Protection Group, the user account used to connect to that remote machine must work with the UAC remote restrictions. The account must be either: A domain account that is a member of the Local Administrators group. The built-in account named Administrator.Note: The built-in Administrator account may fail if the "User Account Control: Admin Approval Mode for the Built-in Administrator account" policy is enabled on the remote machine. Use Case Examples: If the Windows machine being added to Veeam Backup & Replication is joined to a domain, a domain account that is a member of the Local Administrators group on the remote machine should be used to add the server to Veeam Backup & Replication. If the Windows server being added to Veeam Backup & Replication is not joined to a domain, or there is a need to avoid using a domain account, the built-in account named Administrator must be used to add the server to Veeam Backup & Replication. Other local accounts will be restricted by UAC, even if they are members of the Administrators group.Note: If the Administrator account has been renamed, it can be used as the unique SID that bypasses Remote UAC Restrictions is still valid. If the Windows machine being added to Veeam Backup & Replication is not joined to a domain and is not a server OS, the built-in Administrator account will have to be enabled and a password set for it. Then, that account should be used to add the machine to Veeam Backup & Replication.
More Information
If none of the provided solutions are viable, it is possible to disable UAC remote restrictions. This will allow local accounts other than Administrator to be used for remote access. This option should be considered a last resort as it involves disabling a Microsoft Windows OS security feature.
