Forum Discussion

jmThia's avatar
jmThia
Brass Contributor
Jul 02, 2025

Workgroup Failover Cluster backup service account

Hello,

We have built a workgroup Hyper-V cluster. Live migration works well when taking a node. But the only account that we can use is the one used at the cluster creation. 

I found some post about account creating the same user / password on both node and grant cluster full access. But this account gets access denied in the cluster manager. But I would like to have specific account for backup and also a nominative account for administration. I just read Orin Thomas post , but it did  not help.

Have someone ever be able to use a different local local account to manager a workgroup cluster ?

Or to achieve this need, I must stick to AD registered servers. 

Thanks for any help.

Jean Marie

clustering
Windows Server

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Oct 08, 2025

    Why other local accounts fail

    Even if you create another local user with the same name and password on all nodes, Windows treats it as a different security principal (unique SID).
    The cluster’s internal authentication uses the SID of the account that created the cluster — not just the username.
    Therefore, “same name/password” does not equal “same identity.”
    Options for management and backup

    Option A – Continue using the original cluster account
    This is the only supported method in a pure workgroup cluster.
    You can use this account for administration and service operations.

    Option B – Move to domain membership
    If you need multiple named administrators, delegated permissions, or backup agents running under service accounts, join the servers to an Active Directory domain.
    Once domain-joined, you can grant specific domain accounts Cluster Administrator rights via:

    Grant-ClusterAccess -User "DOMAIN\UserName" -Full


    Option C – Scripted elevation
    In a workgroup scenario, you could wrap backup jobs or administrative scripts to run as the cluster’s setup account using “Run as different user,” but this is not scalable or secure for production.

    Backup implications

    Most enterprise backup tools (like Veeam, DPM, or Altaro) expect Kerberos authentication or domain service accounts.
    In a workgroup cluster, these tools usually cannot authenticate or discover the cluster unless using stored local credentials for each node individually — they can’t use a central service account.


    Recommendation

    For reliability, manageability, and backup integration:
    Join the nodes to an AD domain.
    Workgroup clusters are supported mainly for small or disconnected environments, but they don’t support multi-user administrative models.

    Summary:
    In a workgroup cluster, only the original local account that created the cluster can manage it — other accounts (even with same credentials) won’t work because of SID mismatch.
    If you need named admin and backup service accounts, you must use Active Directory–joined servers

Resources