Least privilege permissions for backing up additional forests in Cayosoft Guardian
This article describes the least privilege permissions required when a Cayosoft Guardian server in one forest, for example Forest A, is used to back up and recover additional forests, for example Forest B or Forest C.
This guidance applies when the additional forests are used for Active Directory Forest Backup and Standby Forest Recovery only, and when Change monitoring, Threat detection, and rollback are not enabled for those forests.
Summary
When Cayosoft Guardian is used only for Active Directory Forest Backup and Standby Forest Recovery in a remote forest, the AD connection account does not require permanent membership in the Domain Admins group.
The Cayosoft Guardian Forest Recovery Agent performs the privileged backup work locally on each domain controller. Therefore, the connection account used to manage the backup plan can be a least privilege account.
Domain-level administrative rights are required only at two well-defined points:
When the domain is first added to Cayosoft Guardian.
When the Forest Recovery Agent is installed or upgraded on each domain controller.
Both operations use credentials supplied interactively in the Cayosoft Guardian web portal. These temporary credentials are not stored.
Concepts you need to know
Two separate identities are involved in a backup plan
| Identity | Where it runs | Purpose | Privileges needed at runtime |
|---|---|---|---|
Cayosoft Guardian AD connection account, per managed domain |
Runs from the Guardian server in Forest A and conCayosoft nects to Forest B or Forest C. |
Adds the domain to Cayosoft Guardian, enumerates domain controllers, schedules and orchestrates the backup plan, and reads forest metadata. |
Requires read and replication-related permissions. The account does not need permanent Domain Admins membership for backup-only use cases. |
Forest Recovery Agent |
Runs locally on each domain controller in Forest B or Forest C. |
Performs the VHDX or system-state backup, BitLocker encryption, and recovery operations on the domain controller. |
Runs as LocalSystem on the domain controller after installation and inherits the local privileges required to read the Active Directory database and create a backup. |
Because the Forest Recovery Agent performs the backup locally as LocalSystem, the connection account that owns the backup plan does not need to be a member of Domain Admins or Backup Operators in Forest B or Forest C for ongoing backup runs.
Two separate workflows are involved
| Workflow | Description |
|---|---|
One-time onboarding |
Adding the domain to Cayosoft Guardian, configuring partitions, and installing the Forest Recovery Agent on each domain controller. This workflow requires an elevated credential temporarily. Cayosoft Guardian prompts for the credential interactively and does not store it. |
Ongoing backup execution and recovery |
Backup and recovery operations run under the Forest Recovery Agent, which runs as LocalSystem on the domain controller, together with the persistent service or connection account. The persistent account can use a least privilege permission model. |
Required permissions for backup and Standby Forest Recovery only
The following permissions apply to Forest B and Forest C when change monitoring, rollback, and threat detection are disabled.
One-time setup, interactive credential only
Use these permissions only to add the domain to Cayosoft Guardian and to install or upgrade the Forest Recovery Agent on each domain controller.
| Task | Required membership or permission | Scope |
|---|---|---|
Add the domain to Cayosoft Guardian by using the Managed Domains wizard. |
Domain Admins in the target domain. |
Target domain, for example Forest B or Forest C. |
Install or upgrade the Forest Recovery Agent on each domain controller. |
Local Administrator on each domain controller. Membership in Domain Admins satisfies this requirement. |
Each target domain controller. |
Take ownership of CN=Deleted Objects, only if Recycle Bin-based object restore is also required. |
Domain Admin credentials used to run the required |
Target domain. |
The elevated credential is supplied interactively in the Cayosoft Guardian Web Portal. It is not the service or connection account, and Cayosoft Guardian does not store it.
Persistent service or connection account, least privilege
Create one service account per remote forest, for example ForestB\Cayo.Guard and ForestC\Cayo.Guard. After onboarding is complete, the account needs only the following permissions in the target domain.
| Task | Required permission or membership | Scope | Applies to |
|---|---|---|---|
Read forest and domain metadata and domain controller inventory. |
Replicating Directory Changes extended right. |
Domain object. |
This object only. |
Enumerate domain controllers for the backup plan. |
Authenticated User read access, which is granted by default. |
Domain. |
Not applicable. |
Reach domain controllers over WinRM for orchestration. |
Remote Management Users built-in group. |
Per domain controller in the target domain. |
Not applicable. |
Read domain controller system event channels for backup-job execution telemetry. |
Event Log Readers built-in group. |
Per domain controller in the target domain. |
Not applicable. |
This permission set is based on the read-only model used for Cayosoft Guardian AD domain access. It excludes permissions that are required only for change monitoring, rollback, threat detection, or Exchange attribute restore.
ADSyncOperators membership is not required when Entra Connect collection is not in scope for the additional forest.
Standby Forest Recovery permissions
Standby Forest Recovery runs against the recovery site, such as Azure, AWS, or an on-premises recovery site, and against the available backups. It does not run against production domain controllers in Forest B or Forest C.
The persistent connection account does not need additional permissions in Forest B or Forest C beyond the permissions listed in this article. Recovery-site permissions are documented separately. Learn more: Permissions for Forest Recovery in Cayosoft Guardian.
Onboarding procedure
Use the following least privilege onboarding procedure for each additional forest.
In Forest B, create a dedicated service account, for example ForestB\Cayo.Guard.
Add the account to the Remote Management Users and Event Log Readers built-in groups in the target domain.
-
Delegate the Replicating Directory Changes extended right on the domain object to the account.
In Active Directory Users and Computers, open the domain root properties, go to Security > Advanced, add the service account, and allow Replicating Directory Changes.
From the Cayosoft Guardian web portal in Forest A, go to Configuration > Managed Domains, and run the Managed Domains wizard.
-
Provide a temporary Domain Admin credential for the target forest when prompted by the wizard.
NOTE: This credential is used only during onboarding and is not stored.
Add only the domain partition. Do not add the Configuration or Application partitions because they require Enterprise Admin permissions and are not needed for backup-only forests.
After the domain is added, switch the connection account on the managed domain to the least privilege service account, for example ForestB\Cayo.Guard.
Go to Configuration > Jobs, and disable every job that is not required for Forest Recovery, including change monitoring, threat detection, Microsoft 365 collection, and scheduled reports.
Go to Settings > System settings, and disable Threat Detection.
Go to Forest Recovery > Backup Plans, create the backup plan for Forest B, select the domain controllers, and click Install Agent.
Provide temporary Domain Admin credentials for the agent installation only. After installation, the Forest Recovery Agent runs locally as LocalSystem on each domain controller.
Run a test backup, and then validate Standby Forest Recovery to your recovery site.
Repeat the procedure for Forest C and any other additional forests.
Is the Backup Operators approach required?
No. The procedure of temporarily adding the service account to Domain Admins for onboarding and then moving it to Backup Operators is not required for backup-only forests.
The Forest Recovery Agent runs as LocalSystem on each domain controller. As a result, the connection account does not need the user rights granted by Backup Operators, such as SeBackupPrivilege, to perform backups. Those privileges are exercised by the Forest Recovery Agent locally on the domain controller.
Environments that do not allow use of the Backup Operators group can omit that group. The required ongoing permissions are:
Replicating Directory Changes
Remote Management Users
Event Log Readers
The only privileged operations are the one-time domain onboarding and Forest Recovery Agent installation. These operations use a temporary credential supplied interactively in the Cayosoft Guardian Web Portal and are not stored.
What to skip when Change Monitoring is not used
The following permissions and configuration items are required for Change monitoring, Rollback, or Exchange attribute restore, but are not required for backup-only forests:
Permanent Domain Admins membership for the connection account.
Enterprise Admins or Schema Admins membership.
Organization Management membership in the root domain.
ADSyncOperators membership, unless Entra Connect monitoring is required.
Reanimate Tombstones extended right and Deleted Objects container delegation, unless AD Recycle Bin restore is required.
Configuration, Schema, or Application partitions in the Managed Domains wizard.
Comments
0 comments
Please sign in to leave a comment.