Permissions required for the backup add-on in ADManager Plus

Permissions required for the backup add-on in ADManager Plus

While enabling the backup add-on, it is recommended that you provide Domain Admin privileges to the service account used to configure the AD domains in ManageEngine ADManager Plus. However, if your organization’s policy restricts the use of the Domain Admin account, you can assign the service account with the least privileges required for the working of the backup add-on.

The table below lists the permissions that should be assigned to the service account configured in ADManager Plus:

Action

Permissions

Backup AD objects

Read permission, replicating directory changes, and replicating directory changes all permission for Domain, DomainDNSZones, ForestDNSZones, configuration, schema partitions. 

Backing up GPOs

Add the service account to Administrators group

To restore deleted GPOs

Add the service account to Group Policy Creator Owners group

To restore all AD objects

Write permission.


Steps to configure the permissions required to enable the backup add-on in ADManager Plus  

Provide the service account with Read permission for Domain, DomainDNSZones, ForestDNSZones, configuration, and schema partitions in Active Directory.

  1. Open ADSI Edit.

  1. Click Action > Connect to.

  1. In the Connection Settings dialog box that appears, provide the distinguished name of the Domain partition and click OK.

  1. Right-click the domain in the left-pane and click on Properties.

  1.  In  the dialog box that appears, select the service account from the field for Group or user names. In the Permissions section, select the check-box against Replicating Directory Changes, Replicating Directory Changes All, and Read, and click Apply.

    • Now that the user account has been provided with all permissions relating to domain partition, click Action > Settings in ADSI edit.

    • Add DomainDNSZones, ForestDNSZones, configuration and schema partitions to ADSI edit and repeat the steps to provide the account with all the required permissions.

With these permissions in place, the user account can be used to configure the domain to ADManager Plus and perform backup operations.

 

 Performing  restorations when you add your domain using a service account  

The permissions you had given to the service account will only allow the product to take backups of your AD environment. 

When you need to perform any restoration, the product will verify which account was used to configure the domain. If a domain administrator account was used, the restoration will be performed without further input from the admin. If a service account was used, the product will prompt the admin to enter the user name and password of a user who can write to AD. If the service account used to configure AD has the required privilege to write to AD, select the Use default system domain credentials option. If the account does not have the required privileges to write to AD, leave the box unchecked, and provide the credentials of a domain administrator or a user who can write to the AD in the Username and Password field. Once you provide the credentials, the product will use the credentials to perform the restoration. After the restoration is complete, the product will not store the credentials.

 

Backing up GPOs  

To  back up GPOs, the product has to run PowerShell commands to access the admin share folder and the service account has to be added to the Administrators group. 

If you want the account to be able to restore deleted GPOs as well, the service account must also be added to Group Policy Creator Owners group.

                  New to ADSelfService Plus?