Skip to main content

Permissions required for Active Directory

This article provides the permissions that Druva needs to back up and restore Active Directory data.

Updated over a week ago

Here is the list of permissions required for Active Directory Backup and Restore actions.

Action

Required Permissions

For Granular Backup

  • Core AD Partitions:

    • Read permissions on the domain.

    • Read permissions on the Configuration partition.

    • Read permissions on the Schema partition.

  • Specific Containers/Zones:

    • Access to the System container (required for trusts).

    • Access to DomainDnsZones (required for DNS zones).

  • Standard AD Objects:

    • Standard LDAP read access to backup Users, Groups, Organizational Units (OUs), and Computers.

  • Group Policy Objects (GPOs):

    • Group Policy read permissions to backup GPOs.

  • Minimum delegated permissions required for a custom admin role:

    • Read all properties

    • List contents

    • Read permissions

    • Reanimate tombstones

For Granular Restore

  • Object Creation/Modification:

    • Write permissions on AD to Create/update objects (User, Group, Computer, Contact, OU).

  • OU Creation and General Restore: Domain Admin rights are necessary for creating new OUs and performing general restore operations.

  • Minimum delegated permissions required for a custom admin role:

    • Read all properties

    • List contents

    • Read permissions

    • Reanimate tombstones

    • Create all child objects

    • Write all properties

    • Modify permissions

    • Write owner

For System State Backup

  • Shared Folder Access:

    • Read and write NTFS permissions on the designated shared folder.

  • Storage Space:

    • Sufficient storage space in the shared path to accommodate the local system state backup.

  • Wbadmin Tool:The Wbadmin tool must be installed, and the account must have permission to execute it.

  • Minimum delegated permissions required for a custom admin role:

    • Read all properties

    • List contents

    • Read permissions

    • Reanimate tombstones

For System State Restore - Forest Recovery

  • Minimum delegated permissions required for a custom admin role:

    • Read all properties

    • List contents

    • Read permissions

    • Reanimate tombstones

    • Create all child objects

    • Write all properties

    • Modify permissions

    • Write owner

Restore Deleted Objects (Recycle Bin Access)

To restore deleted objects, read and list access to the Recycle Bin (Deleted Objects container) is required. Since this container is protected, ownership must be taken before assigning permissions.

  • Take ownership of the Deleted Objects container

  • Grant List Contents (LC) and Read Property (RP) permissions to the service account

Generic example commands:

Action

Command

Take ownership of the Deleted Objects container

dsacls "CN=Deleted Objects,<Domain DN>" /takeownership

Grant read and list permissions to the service account

dsacls "CN=Deleted Objects,<Domain DN>" /G "<Domain>\<ServiceAccount>:LCRP"

Related Articles
Microsoft 365 Permissions for Druva App
Permissions required for Microsoft Entra ID
Data Restore for Okta
Install the agent and register Active Directory Domain
Restore your Active Directory data
Did this answer your question?