Skip to main content
commvault.com commvault.com
Question

Active Directory Permissions to Back Up Group Policy Objects

R
Bit
Forum|alt.badge.img+2

Hello!

Having just upgraded to 2024E, specifically 11.36.41, I notice the Active Directory agent now supports backups for GPO as documented here - Great. Changes in Commvault Platform Release 2024E

However, the permissions required are not particularly helpful:

  • Permissions to Back Up Group Policy Objects via PowerShell: The account must have the necessary permissions to back up GPOs using PowerShell cmdlets. By default, members of the Remote Management Users group possess these permissions.

My question is, if you don’t want the account to be a member of “Remote Management Users” or admin groups, what granular permissions can be set on the account to still achieve the backup?

 

full error:
-----

Currently whilst the backup is completing for AD as it always has, its now completing but with error “Failed to process group policy object”.
Error Code: [28:548]
Description: Failed to process group policy object. Please verify following: (1) User account configured in Active Directory connection settings is member of Remote Management Users group or has administrator permissions. (2) User account configured in Active Directory connection settings has read and write permission to job results directory.

-----

7 replies

Damian Andre
Vaulter
Forum|alt.badge.img+23

Hi ​@Rafter,

I gathered some info internally that may help with this:

To back up Group Policy Objects (GPOs) using PowerShell cmdlets, you need appropriate permissions on the Group Policy objects. Specifically, you require:

1. Minimum Permissions Required

  • Read and Backup permissions on the GPOs you want to back up.

2. Recommended Group Memberships

To successfully back up GPOs, you should be a member of one of the following groups:

  • Domain Admins (recommended)
  • Enterprise Admins
  • Group Policy Creator Owners (if you are the owner of the GPO)
  • A custom security group with at least the following permissions:
    • Read
    • List Contents
    • Read Permissions
    • Backup Group Policy Objects
J
Byte
Forum|alt.badge.img+5
  • jracjdb2
  • Byte
  • 14 replies
  • April 4, 2025

Hello

I have run into the same issue yesterday

Hoping that the original poster can confirm whether the suggestion here worked or was there some alternative

Thanks

R
Bit
Forum|alt.badge.img+2
  • Rafter
  • Author
  • Bit
  • 5 replies
  • April 4, 2025

Hi,

To be honest, no I’ve not found a working solution at the moment, but more down to time.

The recommendation of Domain/Ent Admin is just ridiculous, no service account in our org is a Domain Admin.  I’ve attempted with the Group Policy Creator Owners builtin role, which wouldn’t be ideal, but that doesn’t appear to work anyway.

A custom security group is the way we’d like to go, but setting that on existing GPO raises a lot of concern and remembering to set it for every new GPO will be a change nightmare as there’s no inheritance on the permission.

So I’ve left if completing with errors for now, hoping someone else comes up with a solution! 😀

All that said, it also failed with a brief test with domain admin membership (size went up, but still errors - may just be one item with incorrect privileges I guess), which needs investigation and may help work out using lesser privileges with GPO CreatorOwner.

Keep me posted if you find a resolution before we have the time to resolve!

R
Bit
Forum|alt.badge.img+2
  • Rafter
  • Author
  • Bit
  • 5 replies
  • April 4, 2025

Here’s a quick update, I thought I’d take a look in the logs, when Domain Admin, it failed with path length error, so it has completed most GPOs.

I notice release update 11.36.49, released a couple of days ago.  One hotfix reference to resolving issues with GPO backups, so that’s going to be the next test, applying the update!

AD - PowerShell to backup GPOs may fail.

 9663


Getting it working with a domain admin account in dev environment will at least help look at the permissions after that.

A
Byte
Forum|alt.badge.img+8
  • atitagain
  • Byte
  • 48 replies
  • April 7, 2025

all, is there a way to disable the Group Policy Objects part of the AD backups ?

J
Byte
Forum|alt.badge.img+5
  • jracjdb2
  • Byte
  • 14 replies
  • April 8, 2025

Hi Rafter

Just to let you know, I had two failing DC backups (have 19 different domains for various customers)

Applying 11.36.49 has resolved this issue for one of the AD backups - the other one is still failing it appears to be always on the same GPO

My AD expert says he can back it up using the Powershell command in the logs

I have a ticket open, we will see what happens

@atitagain - I’m sure I saw a parameter in the documentation when reading last week - of course, I can’t find it now

A
Byte
Forum|alt.badge.img+8
  • atitagain
  • Byte
  • 48 replies
  • April 8, 2025

@jracjdb2 if you find this parameter again would you mind sharing.

 

thanks 

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings