Loading...
Loading...
While attempting to perform one of the following actions the error "Access is Denied." occurs: When attempting to add a Windows server to Veeam Backup & Replication using a Local Administrator account. Access is denied. Failed to connect to share '\\{hostname-ip}\ADMIN$'
When a Windows Server is added as a Managed Server or added to a Protection Group and configured to use credentials-based authentication, Veeam Backup & Replication checks if the Veeam Installer Service (VeeamDeploySvc) is present on the server. If the service is not accessible, Veeam Backup & Replication will attempt to connect to the machine via the admin$ share to deploy the service. Example: \\localhost\admin$ The "Access is Denied" error occurs because the user account specified is a local account, and UAC restricts remote access for local accounts.
When attempting to add a remote Windows machine as a managed server or as part of a Protection Group using credentials-based authentication, the user account used to connect to that remote machine must work with the UAC remote restrictions. That account must be either: A domain account that is a member of the Local Administrators group. The built-in account named Administrator. Note: The built-in Administrator account may fail if the "User Account Control: Admin Approval Mode for the Built-in Administrator account" policy is enabled on the remote machine. Alternate Option As an alternative to adding the Windows server to Veeam Backup & Replication using credentials-based authentication, the new Veeam Deployment Kit can be installed on the Windows machine before adding it to Veeam Backup & Replication. This will allow you to select the "Connect using certificate-based authentication" option, eliminating the need to provide credentials to Veeam Backup & Replication to establish a connection to the remote machine. Use Case Examples when Using Credentials-based Authentication If the Windows machine being added to Veeam Backup & Replication is joined to a domain, a domain account that is a member of the Local Administrators group on the remote machine should be used to add the server to Veeam Backup & Replication. If the Windows server being added to Veeam Backup & Replication is not joined to a domain, or there is a need to avoid using a domain account, the built-in account named Administrator is the only account that can be used to add the server to Veeam Backup & Replication remotely. Other local accounts will be restricted by UAC, even if they are members of the Administrators group.Note: If the Administrator account has been renamed, it can be used as the unique SID that bypasses Remote UAC Restrictions is still valid. If the Windows machine being added to Veeam Backup & Replication is not joined to a domain and is not a server OS, the built-in Administrator account will have to be enabled and a password set for it. Then, that account should be used to add the machine to Veeam Backup & Replication.
If none of the provided solutions are viable, it is possible to disable UAC remote restrictions. This will allow local accounts other than Administrator to be used for remote access. This option should be considered a last resort as it involves disabling a Microsoft Windows OS security feature. We highly recommend simply using the Veeam Deployment Kit instead of disabling UAC remote restrictions.
Click on a version to see all relevant bugs
Veeam Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.