Challenge
The backup or replication job fails with the following error message:
VIX Error: You do not have access rights to this file Code: 13
OR
RPC function call failed. Function name: [IsSnapshotInProgress].RPC error: Access is denied. Code: 5
Cause
The issue occurs when Veeam is unable to start the agent that triggers Microsoft VSS on the guest machine because of insufficient privileges. It may also be related to VMware Tools malfunction.
Solution
To resolve:
1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up.
2. If the account being used is not named “Administrator”, you must disable UAC on the Guest OS of the VM to be backed up.
1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up.
2. If the account being used is not named “Administrator”, you must disable UAC on the Guest OS of the VM to be backed up.
a. For 2008/2008 R2, in the “Change User Account Control Settings”, move slider to Never Notify
b. For 2012/2012 R2/2016, you must change the “EnableLUA” DWORD to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
b. For 2012/2012 R2/2016, you must change the “EnableLUA” DWORD to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
3. Uninstall VMware Tools, and Reinstall VMware Tools. (Please see https://kb.vmware.com/kb/2010137 for more information). If you are unable to upgrade existing VMware tools see https://kb.vmware.com/kb/1001354
More Information
For more information regarding disabling UAC under 2012 and 2012 R2, please review the following: http://social.technet.microsoft.com/Forums/windowsserver/en-US/0aeac9d8-3591-4294-b13e-825705b27730/how-to-disable-uac?forum=winserversecurity
While most service accounts created have the ability to manage files, folders, and services, many may not have the rights to execute VSS tasks. This is why a user that is in the Administrator group should be specified for application-aware image processing and guest filesystem indexing.
By default in a VMware vSphere environment if Veeam Backup & Replication is not able to reach the <ip>\Admin$ share of the Guest VM, it will failover to a network-less protocol called VIX.
In situations where UAC must remain enabled, named Administrator accounts must be used for this process. Only administrative accounts with SID-500 access will be able to execute remote administration commands with this Windows feature enabled. These will be the local “Administrator” account made locally when installing windows, or the “Administrator” account used with the domain. Created domain administrator accounts have a default SID-512 and may not be sufficient for remote administration.
While most service accounts created have the ability to manage files, folders, and services, many may not have the rights to execute VSS tasks. This is why a user that is in the Administrator group should be specified for application-aware image processing and guest filesystem indexing.
By default in a VMware vSphere environment if Veeam Backup & Replication is not able to reach the <ip>\Admin$ share of the Guest VM, it will failover to a network-less protocol called VIX.
In situations where UAC must remain enabled, named Administrator accounts must be used for this process. Only administrative accounts with SID-500 access will be able to execute remote administration commands with this Windows feature enabled. These will be the local “Administrator” account made locally when installing windows, or the “Administrator” account used with the domain. Created domain administrator accounts have a default SID-512 and may not be sufficient for remote administration.