Cayosoft Guardian account permissions for AD domains and Entra tenants
Summary
To collect changes in the Active Directory domain, related audit logs, and restore changes, the account that is specified in Cayosoft Guardian for connecting to Active Directory must either have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted specific permissions for this domain. This article describes how to explicitly grant necessary permissions for the Cayosoft Guardian AD connection account.
Cayosoft recommends using an account with the Global Administrator role to backup, collect related audit logs and restore objects in Entra ID, Exchange Online and Teams. Global Administrator role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Guardian. This article contains the minimum set of roles and permissions to delegate for the Cayosoft Guardian AD connection account.
NOTE: Collecting the Exchange-owned attributes changes in Active Directory like policies assignments requires the Configuration partition backup job to be configured. To collect changes, related audit logs, and restore changes in the Configuration partition, the account that is specified in Cayosoft Guardian for connecting to the Configuration partition must belong to the Enterprise Admins group. To restore Exchange-owned properties the account that is specified in Cayosoft Guardian for connecting to the Active Directory domain must belong to the Organization Management group in the root domain of the forest.
Required permissions and memberships for the Cayosoft Guardian AD connection account
| Operation | Permission or membership requirement |
Permission scope Applies to |
|---|---|---|
| Backup | Replicating Directory Change permission |
Scope: Domain object Applies to: This object only |
| Restore of the modified attribute(s) changes | Read, Write permissions for the attribute(s) |
Scope: Domain object or target container Applies to: Descendant objects |
| Undo creation (delete) | Delete permission |
Scope: Domain object or target container Applies to: Descendant objects |
| View deleted objects | List, Read, Write permissions |
Deleted Objects container Applies to: Descendant objects |
| Restore deleted object from Recycle Bin | Reanimate Tombstones permission |
Scope: Domain object Applies to: This object only |
| Restore deleted object from the Recycle Bin | Create all child objects permission and Read, Write permissions for the attribute(s) |
Scope: Target container Applies to: Descendant objects |
| Replicate restored objects | Replication Synchronization extended right |
Scope: Domain object Applies to: This object only |
| Backup changes of security descriptor | Membership in Domain Administratorsgroup |
|
| Restore changes of security descriptor | Restore of security descriptor values requires Domain Administrators |
|
| Events collection | Membership in Remote Management Users and Event Log Readers groups |
|
| Restore of modified Exchange-owned attribute(s) |
Membership in the Organization Management group in the root domain of the forest Membership in Enterprise Admins group |
Required roles for Cayosoft Guardian Entra ID connection account
While the Global Administrator role can be used to grant full access for Guardian’s backup, restore, and auditing features, it is not a hard requirement.
To follow the principle of least privilege, you can assign a combination of lower-privilege roles that together provide the required access.
The following Entra ID roles can be used in place of Global Administrator:
| Role | Purpose |
|---|---|
| Directory Readers | Allows read-only access to directory objects (users, groups, devices). Required for auditing and reporting. |
| Privileged Authentication Administrator | Allows management of authentication methods for users. Required for restoring authentication-related attributes. |
| User Administrator | Allows creation, update, and deletion of users (without granting full admin privileges). Required for restoring user objects. |
| Groups Administrator | Allows management of group objects and memberships. Required for restoring groups. |
Grant permissions for the Cayosoft Guardian AD connection account to restore deletions in AD with AD Recycle Bin enabled
NOTE: Consider the following:
-
- Delegated permissions only apply to objects deleted after these permission changes are applied.
- Previously deleted objects would require Domain Admins membership for the Active Directory connection account.
- Active Directory connection account must have permissions on the target OU where the reanimated object would be placed.
To access the Deleted Objects container in Active Directory, additional configuration is required.
Run
cmdas Domain Admin.-
Take ownership of the Deleted Objects container.
Copydsacls “CN=Deleted Objects,DC=domain,DC=com” /takeownership -
Grant delegated user/group permissions List, Read, Write to view and restore deleted objects. Replace the domain\account with the Cayosoft Guardian AD connection account name.
Copydsacls “CN=Deleted Objects,DC=domain,dc=com” /g DOMAIN\account:LCRPWP -
Using Active Directory Users and Computers snap-in, grant the Cayosoft Guardian AD connection account rights to reanimate tombstone:
Right-click the domain root and select Properties.
On the Security tab, click Advanced.
Click Add and select the Active Directory connection account.
Allow the Reanimate Tombstones permission and click OK.
How to grant permissions for the Cayosoft Guardian AD connection account to collect events from a domain controller
To collect events Cayosoft Guardian should have permissions to access the domain controller remotely and access the Security log. To access the domain controller remotely Cayosoft Guardian AD connection account should be a member of the Remote Management Users group. To access logs on the domain controller Cayosoft Guardian AD connection account should be a member of the Event Log Readers group. Learn more about these groups here: Default groups: Active Directory | Microsoft Docs.
Open the Active Directory Users and Computers snap-in.
Open the Builtin container.
Right-click the Remote Management Users group, and select Add to a group.
Select the service account and click OK to confirm.
Right-click the Event Log Readers group and select Add to a group.
Select the service account and click OK to confirm.
Comments
0 comments
Please sign in to leave a comment.