Required credentials for VMware Application Aware backups
Explain credentials required for running App Aware backups
App Aware backups of VMWare clients allow hosted applications with VSS writers to be quiesced prior to taking the snapshot that is backed up. An account with elevated local Administrator privileges is required for this App Aware protection to work.
During an App Aware backup, a script is installed on the VMWare client and remotely executed to run several pre-backup tasks that quiesce applications and truncate logs. This script requires access to system folders, and therefore must be run under an account that has “elevated” Administrator privileges. A user-created account that is in the local Administrator’s group doesn’t always have “elevated” privileges and will usually fail to provide the required access. Likewise, a user in the Domain Admin group will also fail to provide sufficient privileges. Even the Domain Administrator account may not work.
Access rules for protected system files and resources vary with the version of Windows installed on the Client. A non-local Administrator user in an earlier version of Windows may provide sufficient privileges for the App Aware backups to work. For later versions of Windows, only the client’s local Administrator account has been shown to work consistently.
Currently the requirement is to use the local Administrator’s account. For a Domain Controller client where there is no local Administrator account, the Domain Administrator account should work. Note this is the Domain Administrator user, not a user-created account in the Domain Admin group.
With that being said, for earlier version of Windows, it is possible that a user in the local Administrator’s group will work. For some later versions of Windows, we have had some success after disabling User Account Control (UAC) on the VMWare Client and using a Domain Admin user. Alternatives to the “must use local Administrator account” requirement for each operating system version have not yet been defined.