Help Center
Choose product document...
Veeam Backup & Replication 9.5 Update 4
User Guide for Microsoft Hyper-V

Required Permissions

The accounts used for installing and using Veeam Backup & Replication must have the following permissions:

Account

Required Permission

Setup Account

The account used for product installation must have the local Administrator permissions on the target machine.

Veeam Backup & Replication Console Permissions

The account used to start the Veeam Backup & Replication console must have the local Administrator permissions on the machine where the console is installed.

To perform file-level restore for Microsoft Windows VMs, the account must have the following permissions and privileges:

  • Local Administrator permissions to start the Veeam Backup & Replication console
  • SeBackupPrivilege and SeRestorePrivilege to connect to the Veeam backup server and start the restore process

In most environments, SeBackupPrivilege and SeRestorePrivilege are assigned to user accounts added to the Administrators group. For more information, see Microsoft Docs.

Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console. For more information, see Microsoft Docs.

Veeam Backup Service Account

The account used to run the Veeam Backup Service must be a local System account or must have the local Administrator permissions on the backup server.

Target/Source Host Permissions

Local Administrator permissions on the source Microsoft Hyper-V server.

Root or equivalent permissions on the Linux backup repository.

Write permission on the target folder and share.

Microsoft SQL Server

You require different sets of Microsoft SQL permissions in the following cases:

  • Installation (remote or local): current account needs CREATE ANY DATABASE permission on the SQL server level. After database creation this account automatically gets a db_owner role and can perform all operations with the database. If the current account does not have this permission, a Database Administrator may create an empty database in advance and grant the db_owner role to the account that will be used for installing Veeam Backup & Replication.
  • Upgrade: current account should have sufficient permissions for that database. To grant these permissions through role assignment, it is recommended that you use the account with db_owner role.
  • Operation: the account used to run Veeam Backup Service requires db_datareader and db_datawriter roles as well as permissions to execute stored procedures for the configuration database on the Microsoft SQL Server. Alternatively, you can assign db_owner role for this database to the service account.

Veeam Backup Enterprise Manager

Local Administrator permissions on the Veeam Backup Enterprise Manager server to install Veeam Backup Enterprise Manager.

To be able to work with Veeam Backup Enterprise Manager, users must be assigned the Portal Administrator, Restore Operator or Portal User role. For more information, see the Required Permissions section in the Enterprise Manager User Guide.

Guest OS Processing

The account used for guest processing of VMs that run VSS-aware applications must have the following user rights assigned:

  • Logon as a batch job granted
  • Deny logon as a batch job not set

Microsoft SQL Server:
Transaction Logs Backup and
Application-Aware Processing

The user account that you specify for guest processing of a Microsoft SQL Server VM in a backup job must have the following permissions and privileges:

  • administrator privileges on the target VM
  • sysadmin permissions on the target Microsoft SQL Server

If you need to provide minimal permissions on the target Microsoft SQL Server, the account must be assigned the following roles and permissions:

  • SQL Server instance-level role: public.
  • Database-level roles:db_backupoperator, db_denydatareader, public; for system databases (master, model, msdb) — db_backupoperator, db_datareader, public; for system database (msdb) — db_datawriter.
  • Securables: view any definition, view server state.

Veeam Explorer for Microsoft Active Directory

See the Required Permissions section in the Veeam Explorers User Guide.

Veeam Explorer for Microsoft Exchange

Full access to Microsoft Exchange database and its log files for item recovery. The account that you plan to use for recovery must have both read and write permissions to all files in the folder with the database.

Access rights can be provided through impersonation as described in the Configuring Exchange Impersonation article.

Veeam Explorer for Oracle

See the Required Permissions section in the Veeam Explorers User Guide.

Veeam Explorer for Microsoft SharePoint

The account used for working with Veeam Explorer for SharePoint requires membership in the sysadmin fixed server role on the staging Microsoft SQL Server.

The account used to connect to the target SharePoint server where document items/lists will be restored needs the following:

  • If permissions of the restored item are inherited from the parent item (list) — Full Control for that list is required.
  • If permissions are not inherited, and restored item will replace an existing item — Contribute for the item and Full Control for its parent list are required.

Veeam Explorer for Microsoft SQL

See the Required Permissions section in the Veeam Explorers User Guide.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Explorers User Guide

Backup and Restore of SQL Server Databases

Veeam Plug-ins for Enterprise Applications

PowerShell Reference

Veeam Explorers PowerShell Reference

RESTful API Reference

Required Permissions

Veeam Availability for Nutanix AHV

Veeam Backup for Microsoft Office 365 Documentation

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation