vCloud Tenant file restores via Veeam Enterprise Manager when UAC is enabled

I really like the way Enterprise Manager integrates with vCloud Director and provides tenants with an agentless way to backup and restore VMs and files. At the same time it provides a simple self-service portal that we can now integrate directly into vCloud Director with a custom plugin.

When a tenant attempts to restore a file back to a VM within vCloud Director, Veeam will first try and connect to the VM from the mount server via the network which in this case will not work as there is no direct connectivity (for good reason). Creating a connection between the VCD Org Networks and the Backup Management Network isn’t really an option here so instead it will then use the vSphere Guest Interaction API to complete the restore. Up to vSphere 6.0 this was referred to as VMware VIX API but from vSphere 6.5 it is now referred to as VMware vSphere Guest Interaction API.

But what do we do if a tenant calls up and says hey I keep getting an error when I restore files back to my VMs, it keeps saying Unable to establish connection with the machine.

Let’s explore a couple of ways to help them resolve their issue.

When performing a file level restore you do need to provide either the built in local administrator account of the VM or if the VM is joined to a domain then the domain administrator account. The error we are seeing here is being caused by UAC – User Account Control being enabled. In a lot of companies this may be pushed out via group policy or it might just be enabled on the server you are trying to restore some files too.

One option is you can request the group policy be changed so that you can then disable UAC on the VM. More than likely the response to this request will be no.

If it’s not currently set via group policy but it is still enabled you can just disable it yourself but you then need to restart the server for it to take effect which in most cases isn’t ideal.

So where does that leave us.. Well first you can check to ensure you are using the actual built-in administrator account by opening an elevated command prompt and entering the following command – WMIC useraccount get name,sid

Make sure the SID ends in -500 to ensure that it is the built-in account

Now the built-in administrator accounts are supposed to be exempt from UAC so if you were able to just disable UAC you can test again and it should just work.

If you were informed by a polite sysadmin that there is no chance they are going to let you disable UAC you have one other option available. The best part about this approach is that it doesn’t require a reboot.

Open the Local Security Policy on the server and then expand Local Policies, then expand Security Options. There will be a policy there called “User Account Control: Admin Approval Mode for the Build-in Administrator account“, set this policy to Disabled.

 

You can always re-enable this policy if need be after the file restore is complete or you can leave it disabled. Best part is no reboot required.

Then try to restore your file again and when prompted enter your Administrator credentials.

There you go, file restore completed successfully.

LINKEDIN

Leave a Reply

Your email address will not be published. Required fields are marked *

LINKEDIN