Setting up a restricted VCB user account is well documented on the Virtual Center side, however I haven't had any luck finding information on how to set up a restricted account for the Windows VCB proxy side.

So my question is, does anyone have info on how to set up a Windows vcbuser account that doesn't require being a member of the Administrators group on the VCB proxy?

Now that the latest version of VCB has SSPI functionality, that has eliminated a giant security hole for us, and we no longer store a plain text password for the vcbuser account on the server. So I want to continue to apply the principle of least privilege, and only give the vcbuser access to the components it needs to back up the VMs.

I've been able to accomplish this with the nbd mode, over the network backups. Since the Users group already has Read and Execute access to the "C:\Program Files\VMware\VMware Consolidated Backup Framework" folder, all that was necessary was to give the account Modify rights to the VM backup folder on the server.

But I can't get the non-privileged account to back up using san mode. Apparently the default in Windows is only administrators can view disk/LUN information, as I've tried putting the account in Backup Operators and it did not help.

The error message from VCB is:

No path to device LVID:484e7c53-a5374db3-4bcf-0018fe746bd6/484e7c52-3b8778e4-c64e-0018fe746bd6/1 found.

Error: Failed to open the disk: Cannot access a SAN/iSCSI LUN backing this virtual disk. (Hint: If you are using vcbMounter you can use the option "-m ndb" to switch to network based disk access if this is what you want.) If you were attempting file-level access, stop the vmount Service by typing "net stop vmount2" on a command prompt to force vmount to re-scan for SAN LUNs and re-try the command.

Adding the vcbuser to Administrators immediately eliminates the errors. Any thoughts on privileges, security settings, etc. would be greatly appreciated.

Thanks!