The accounts used to install and administer VAO must have the following permissions.
The account used for product installation must be a domain user who has the local Administrator permissions on the target machine.
VAO Service Accounts
The accounts used to run VAO services, Veeam Backup & Replication services and Veeam ONE services must have the local Administrator permissions on the VAO server.
The accounts must also be granted the Log on as a service right. For more information on Windows security policy settings, see Microsoft Docs.
VAO Agent Account
The account used to install and run the VAO agent on a Veeam Backup & Replication server must be a Windows domain account, and have both the local Administrator and the Veeam Backup Administrator permissions on the server.
VAO User Accounts
The accounts used to log in to the VAO UI must be granted the Allow log on locally right. For more information on Windows security policy settings, see Microsoft Docs.
vCenter Server Permissions
The account used to connect the vCenter Server to the VAO infrastructure must have administrative permissions. You can either grant the Administrator role to the account or configure more granular permissions. For more information, see Veeam Backup & Replication Required Permissions and Veeam ONE Required Permissions.
To be able to open sessions on the vCenter Server system, the account must also have the Sessions.Validate session privilege on the root vCenter Server. For more information on session privileges, see VMware Docs.
Microsoft SQL Server Permissions
Different sets of Microsoft SQL permissions are required in the following cases:
NetApp Storage System Permissions
The account used to connect the storage system to the VAO infrastructure must be granted permissions described in section NetApp Data ONTAP Permissions.
VAO Step Accounts
The account used to run the Verify SharePoint URL step, must be assigned the SharePoint_Shell_Access role and must be a member of the WSS_ADMIN_WPG group on the processed VM.
The account used to run the Verify Exchange Mailbox step, must be assigned the ApplicationImpersonation role on the processed VM.
The account used to connect to a NetApp Data ONTAP storage system must have the following permissions: