Skip to main content
commvault.com commvault.com
Question

Granular Permissions for active directory recovery

  • January 30, 2026
  • 2 replies
  • 45 views
M
Novice
Forum|alt.badge.img

Hi All,

I’m hoping for some guidance from those who have completed this step of the deployment (Complete the Guided Setup for Active Directory

I want to give the service account least privileged access to the domain as I am not comfortable with giving the service account full domain admin rights as it has been suggested by the deployment team.

Has anyone got a break down of steps to achieve the above in Active directory? from what I've seen looks like we need to perform some of the required permissions within ADSI Edit?

Any guidance would be great especially from those who have implemented this successfully.

2 replies

S
Vaulter
Forum|alt.badge.img+5
  • Syed_SVaulter
  • Vaulter
  • February 1, 2026

Hi ​@MTCV 

Good day!

To configure least privileged access for the Commvault Active Directory (AD) backup service account (instead of using Domain Admin rights), follow these steps:

1. Create a Standard Domain User Account
In Active Directory Users and Computers (ADUC), create a new user (e.g., cvbackup).
Add this user to the Remote Management Users group.
This allows backup of standard AD objects and Group Policy Objects (GPOs) via PowerShell.

2. Grant Folder Permissions on the Agent Server
On the server where the Commvault agent is installed, give the backup account Write permission to:
C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults\
This is required for backup job results.

3. Grant Additional Permissions for Special AD Objects
Some AD objects require higher privileges. For these, you must manually assign permissions using ADSI Edit.

Objects Requiring Extra Permissions:

DomainDNSZone
ForestDNSZone
Configuration/Sites
IP Security
Keys
NTDS Quotas

Steps in ADSI Edit:

Open ADSI Edit (run adsiedit.msc).
Connect to the appropriate naming context (e.g., Default naming context).
For each object above: Navigate to the object (e.g., right-click DomainDNSZone).
Select Properties.
Go to the Security tab.
Click Add, select your backup user.
Grant Read and List Contents permissions.
Apply these permissions to "this object and all descendant objects".
Repeat for each object in the list.

4. Restore Permissions

To restore AD objects, the account needs Read, Change, and Create Child Objects permissions on the relevant AD containers.
By default, only Domain Admins, Enterprise Admins, and Administrators have these.
If you want to use your least-privileged account for restores, delegate these permissions as needed in ADUC or ADSI Edit.
 

M
Novice
Forum|alt.badge.img
  • MTCVNovice
  • Author
  • Novice
  • February 2, 2026

Hi Syed,

 

Thank you for your response that is helpful. To confirm in step 4 which containers are you referring to that need ‘Read’, ‘Change’ and ‘create child object’ permissions?

Hi ​@MTCV 

Good day!

To configure least privileged access for the Commvault Active Directory (AD) backup service account (instead of using Domain Admin rights), follow these steps:

1. Create a Standard Domain User Account
In Active Directory Users and Computers (ADUC), create a new user (e.g., cvbackup).
Add this user to the Remote Management Users group.
This allows backup of standard AD objects and Group Policy Objects (GPOs) via PowerShell.

2. Grant Folder Permissions on the Agent Server
On the server where the Commvault agent is installed, give the backup account Write permission to:
C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults\
This is required for backup job results.

3. Grant Additional Permissions for Special AD Objects
Some AD objects require higher privileges. For these, you must manually assign permissions using ADSI Edit.

Objects Requiring Extra Permissions:

DomainDNSZone
ForestDNSZone
Configuration/Sites
IP Security
Keys
NTDS Quotas

Steps in ADSI Edit:

Open ADSI Edit (run adsiedit.msc).
Connect to the appropriate naming context (e.g., Default naming context).
For each object above: Navigate to the object (e.g., right-click DomainDNSZone).
Select Properties.
Go to the Security tab.
Click Add, select your backup user.
Grant Read and List Contents permissions.
Apply these permissions to "this object and all descendant objects".
Repeat for each object in the list.

4. Restore Permissions

To restore AD objects, the account needs Read, Change, and Create Child Objects permissions on the relevant AD containers.
By default, only Domain Admins, Enterprise Admins, and Administrators have these.
If you want to use your least-privileged account for restores, delegate these permissions as needed in ADUC or ADSI Edit.
 

 

Terms & ConditionsCookie settingsAccessibility statement