Permissions required for the backup add-on in ADManager Plus

Permissions required for the backup add-on in ADManager Plus

While enabling the backup add-on, it is recommended that you provide Domain Admin privileges to the service account used to configure the AD domains in ManageEngine ADManager Plus. However, if your organization’s policy restricts the use of the Domain Admin account, you can assign the service account with the least privileges required for the working of the backup add-on.

The table below lists the permissions that should be assigned to the service account configured in ADManager Plus:

Action

Permissions

Backup AD objects

Read permission, replicating directory changes, and replicating directory changes all permission for Domain, DomainDNSZones, ForestDNSZones, configuration, schema partitions. 

Backing up GPOs

Add the service account to Administrators group

To restore deleted GPOs

Add the service account to Group Policy Creator Owners group

To restore all AD objects

Write permission.


Steps to configure the permissions required to enable the backup add-on in ADManager Plus  

Provide the service account with Read permission for Domain, DomainDNSZones, ForestDNSZones, configuration, and schema partitions in Active Directory.

  1. Open ADSI Edit.

  1. Click Action > Connect to.

  1. In the Connection Settings dialog box that appears, provide the distinguished name of the Domain partition and click OK.

  1. Right-click the domain in the left-pane and click on Properties.

  1.  In  the dialog box that appears, select the service account from the field for Group or user names. In the Permissions section, select the check-box against Replicating Directory Changes, Replicating Directory Changes All, and Read, and click Apply.

    • Now that the user account has been provided with all permissions relating to domain partition, click Action > Settings in ADSI edit.

    • Add DomainDNSZones, ForestDNSZones, configuration and schema partitions to ADSI edit and repeat the steps to provide the account with all the required permissions.

With these permissions in place, the user account can be used to configure the domain to ADManager Plus and perform backup operations.

 

 Performing  restorations when you add your domain using a service account  

The permissions you had given to the service account will only allow the product to take backups of your AD environment. 

When you need to perform any restoration, the product will verify which account was used to configure the domain. If a domain administrator account was used, the restoration will be performed without further input from the admin. If a service account was used, the product will prompt the admin to enter the user name and password of a user who can write to AD. If the service account used to configure AD has the required privilege to write to AD, select the Use default system domain credentials option. If the account does not have the required privileges to write to AD, leave the box unchecked, and provide the credentials of a domain administrator or a user who can write to the AD in the Username and Password field. Once you provide the credentials, the product will use the credentials to perform the restoration. After the restoration is complete, the product will not store the credentials.

 

Backing up GPOs  

To  back up GPOs, the product has to run PowerShell commands to access the admin share folder and the service account has to be added to the Administrators group. 

If you want the account to be able to restore deleted GPOs as well, the service account must also be added to Group Policy Creator Owners group.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Permissions required for ADManager Plus to work with Exchange

                      ADManager Plus is an identity governance and administration (IGA) solution that allows organizations to manage identities in AD, Exchange, Microsoft 365, and Google Workspace from a single place. The permissions listed below are required for the user ...

                    • How to integrate ADManager Plus with ServiceDesk Plus?

                      Objective: To integrate ADManager Plus with ServiceDesk Plus Solution: The ADManager Plus-ServiceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ...

                    • How to install an SSL certificate in ADManager Plus ?

                      Objective: To install SSL certificate in ADManager Plus Solution: Steps to apply an SSL certificate in ADManager Plus Enable SSL in the ADManager Plus client. Create a Certificate Signing Request (CSR). Issue the SSL certificate. Associate the ...

                    • How to integrate ADManager Plus with ServiceDesk Plus

                      The ADManager Plus-SeviceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ServiceDesk Plus console, administrators or help desk technicians can perform ...

                    • How to integrate ADManager Plus with Zendesk Suite

                      Overview Zendesk Suite is a flexible customer support platform that provides organizations with tools such as ticket management, self-service capabilities, reporting, and automation to address various support requirements and provide effective, ...

                      Related Products