Cayosoft Guardian account permissions for AD domains and Entra tenants
Summary
To collect changes in the Active Directory domain, related audit logs, and restore changes, the account that is specified in Cayosoft Guardian for connecting to Active Directory must either have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted specific permissions for this domain. This article describes how to explicitly grant necessary permissions for the Cayosoft Guardian AD connection account.
Cayosoft recommends using an account with the Global Administrator role to backup, collect related audit logs, and restore objects in Entra ID, Exchange Online, and Teams. Global Administrator role assignment is not a hard requirement, but it does make it easier to configure Cayosoft Guardian. This article contains the minimum set of roles and permissions to delegate for the Cayosoft Guardian AD connection account.
NOTE: Collecting the Exchange-owned attributes changes in Active Directory, like policies assignments, requires the Configuration partition backup job to be configured. To collect changes, related audit logs, and restore changes in the Configuration partition, the account that is specified in Cayosoft Guardian for connecting to the Configuration partition must belong to the Enterprise Admins group. To restore Exchange-owned properties, the account that is specified in Cayosoft Guardian for connecting to the Active Directory domain must belong to the Organization Management group in the root domain of the forest, on-premises Exchange.
Required permissions and memberships for the Cayosoft Guardian AD connection account
| Operation | Permission or membership requirement | Permission scope | Applies to |
|---|---|---|---|
| Backup | Replicating Directory Changes permission | Domain object | This object only |
| Replicate restored object to a specific domain controller | Replicating Directory Changes All ("Replicate single object") permission | Domain object | This object only |
| Restore of the modified attribute(s) changes | Read, Write permissions for the attribute(s) | Domain object or target container | Descendant objects |
| Undo creation (delete) | Delete permission | Domain object or target container | Descendant objects |
| View deleted objects | List, Read, Write permissions | Deleted Objects container | Descendant objects |
| Restore deleted object from Recycle Bin | Reanimate Tombstones permission | Domain object | This object only |
| Restore deleted object from the Recycle Bin | Create all child objects permission and Read, Write permissions for the attribute(s) | Target container | Descendant objects |
| Replicate restored objects | Replication Synchronization extended right | Domain object | This object only |
| Backup changes of security descriptor | Membership in Domain Administrators group | — | — |
| Restore changes of security descriptor | Restore of security descriptor values requires Domain Administrators | — | — |
| Events collection | Membership in Remote Management Users and Event Log Readers groups | — | — |
| Restore of modified Exchange-owned attribute(s) | Membership in the Organization Management group in the root domain of the forest, on-premises Exchange | — | — |
| Configuration partition backup/restore | Membership in Enterprise Admins group | — | — |
How this is validated at runtime: When Guardian validates the AD connection account, it performs an LDAP search against the partition with the DirSync control. A successful search confirms that the Replicating Directory Changes permission has been granted; a failure produces the error Failed to check the Replicating Directory Changes permission. Grant the permission to the connection account.
Required roles for Cayosoft Guardian Entra ID connection account
While the Global Administrator role can be used to grant full access for Guardian's backup, restore, and auditing features, it is not a hard requirement.
To follow the principle of least privilege, you can assign a combination of lower-privilege roles. The roles below are grouped by the Guardian feature area they support. Assign only the roles for the feature areas you intend to back up, audit, or restore.
Core directory, users, groups, and basic auditing
| Role | Purpose |
|---|---|
| Directory Reader | Read-only access to directory objects, including users, groups, and devices. Required for basic auditing and reporting. |
| User Administrator | Creation, update, and deletion of users, without granting full admin privileges. Required for restoring user objects. |
| Groups Administrator | Management of group objects and memberships. Required for restoring groups. |
| Privileged Authentication Administrator | Management of authentication methods for users. Required for restoring authentication-related attributes. |
Additional roles required when backing up or restoring extended workloads
The connection account requests additional Microsoft Graph scopes for the workloads listed below. If your environment uses these features and you are not assigning Global Administrator, also delegate the corresponding role:
| Feature area | Role to assign | Notes |
|---|---|---|
| Conditional Access, Authorization, Authentication Flows, and Device Configuration policies | Conditional Access Administrator and/or Security Administrator | Required for backup/restore of policy objects. |
| Privileged Identity Management (PIM) — role assignments and eligibilities | Privileged Role Administrator | Required for backup/restore of role assignment and eligibility schedules. |
| Application registrations and service principals | Application Administrator or Cloud Application Administrator | Required for backup/restore of application objects. |
| Intune / Device management, including configurations, apps, scripts, and managed devices | Intune Administrator | Required when Intune-related backup/restore is in scope. |
| Audit log collection | Reports Reader, Security Reader, or Global Reader | The Directory Readers role does not grant AuditLog.Read.All; a reader role that includes audit log access must be assigned for full audit collection. |
| Exchange Online, including mailbox attributes, shared mail, and send permissions | Exchange Administrator | Required for Exchange Online backup/restore scenarios. Distinct from the on-premises Organization Management group described in the AD section above. |
| Microsoft Teams settings | Teams Administrator | Required when Teams settings backup/restore is in scope. |
Limitation / Warning: Assigning only the four roles in the Core directory table will not cover Conditional Access, PIM, Applications, Intune, Exchange Online, or Teams operations. Customers who need those features must either assign the additional roles above or use Global Administrator.
Grant permissions for the Cayosoft Guardian AD connection account to restore deletions in AD with AD Recycle Bin enabled
Consider the following:
Delegated permissions only apply to objects deleted after these permission changes are applied.
Previously deleted objects would require Domain Admins membership for the Active Directory connection account.
The Active Directory connection account must have permissions on the target OU where the reanimated object would be placed.
To access the Deleted Objects container in Active Directory, additional configuration is required.
Run cmd as Domain Admin.
-
Take ownership of the Deleted Objects container:
Copydsacls "CN=Deleted Objects,DC=domain,DC=com" /takeownership -
Grant delegated user/group permissions List, Read, Write to view and restore deleted objects. Replace
DOMAIN\accountwith the Cayosoft Guardian AD connection account name:Copydsacls "CN=Deleted Objects,DC=domain,DC=com" /g DOMAIN\account:LCRPWP -
Using the Active Directory Users and Computers snap-in, grant the Cayosoft Guardian AD connection account rights to reanimate tombstones:
Right-click the domain root and select Properties.
On the Security tab, click Advanced.
Click Add and select the Active Directory connection account.
Allow the Reanimate Tombstones permission and click OK.
How to grant permissions for the Cayosoft Guardian AD connection account to collect events from a domain controller
To collect events, Cayosoft Guardian should have permissions to access the domain controller remotely and access the Security log.
To access the domain controller remotely, the Cayosoft Guardian AD connection account should be a member of the Remote Management Users group.
To access logs on the domain controller, the Cayosoft Guardian AD connection account should be a member of the Event Log Readers group.
Learn more about these groups here: Default groups: Active Directory.
Open the Active Directory Users and Computers snap-in.
Open the Builtin container.
Right-click the Remote Management Users group, and select Add to a group. Select the service account and click OK to confirm.
Right-click the Event Log Readers group and select Add to a group. Select the service account and click OK to confirm.
Comments
0 comments
Please sign in to leave a comment.