Permissions Required For The Ad Account Configured in Admanager Plus

Permissions required
for the AD account configured

in ADManager Plus
www.admanagerplus.com
Table of contents
User Management 1
i Create Users 1
ii Modify Users 3
iii Delete Users 4
iv Restore users 6
Contact Management 9
i Create Contacts 9
ii Modify Contacts 10
iii Delete Contacts 11
iv Restore Contacts 12
Computer Management 15
i Create Computers 15
ii Modify Computers 16
iii Delete Computers 17
iv Restore Computers 18
Group Management 21
i Create Groups 21
ii Modify Groups 22
iii Delete Groups 23
iv Restore Groups 24
GPO Management and Reporting 27
AD Reporting 28
File Permission Management 28
Exchange Management and Reporting 28
Microsoft 365 Management and Reporting 29
Active Directory migration 30
Google Workspace Management and Reporting 31
High Availability 31
To carry out the desired Active Directory (AD) management and reporting
operations,
ADManager Plus must be provided with the necessary permissions. This can
be done by entering the credentials of a user account which has been
granted the necessary permissions in the Domain Settings section
ADManager Plus' Admin tab.
The user account that you provide can have the credentials of a Domain
Admin account. If you do not want to use a Domain Admin account, you can
use a user account that has been granted sufficient privileges to carry out
the necessary operations.
The following sections contain the least privileges that have to be assigned
to a user account for performing the required operation.
User Management
This section provides a detailed explanation on the permissions required to create, modify and
delete user accounts.
Operation: Create users
Permissions needed:
- Must be a member of the Account Operators Group
- Must have the Read and Write permissions on all user objects of the required OU.
1
Steps to grant the permissions to create a user account.
1. Logon to your Domain controller and launch the Active Directory Users and Computers.
2. Locate and right click the domain/OU for which you wish to grant the required permissions and
select Delegate Control. The Delegation of Control wizard will pop-up
3. Click Next, add the required user account and click Next.
4. Select the Create a custom task to delegate option
5. Select the Only objects in this folder option and select the User objects checkbox. Also select the
Create selected objects in this folder option as indicated in the following image.
6. Click on Next. Under the Show these permissions section, select General and
Property-specific options.
7. Under the permissions section, select the Read and Write permissions and click on
Next as indicated in the following image.
8. Click Finish.
2
Operation: Modify users
Permissions needed:
- Must have the Read, Write, Read All Properties permissions on all user objects of the required OU.
Steps to grant the permissions to modify a user account.
2. Locate and right click the domain/OU for which you wish to grant the required permissions
and select Delegate Control. The Delegation of Control wizard will pop-up.
5. Select the Only objects in this folder option and select the User objects option as
indicated in the following image.
7. Under the permissions section, select the Read, Write and Read all properties permissions
and click on Next as indicated in the following image.
3
8. Click Finish.
Operation: Delete users
Permissions needed:
- Must have the Delete All Child Objects permission on all user objects of the required OU.
Steps to grant the permissions to delete a user account.
5. Select the Only objects in this folder option and select the User objects checkbox.
Also select the Delete selected objects in this folder option as indicated in the following image.
4
Creation/Deletion of specific child objects options.
7. Under the permissions section, select the Delete all child objects permission and click on
Next as indicated in the following image.
8. Click Finish.
5
Operation: Restore users
Permissions needed:
- The users modifying the permissions on the deleted objects container must be a member
of the Domain Admins group.
- The Active Directory Application Mode (ADAM) tool has to be downloaded and installed
separately in domain controllers running Windows Server 2000 and 2003.
Steps to grant the permissions required to restore a deleted AD user
Any object deleted from AD is stored in the deleted objects container and can be restored
before the end of its tombstone lifetime period. To restore a deleted AD object,
non-administrators must have sufficient permission to access this container.
To grant the required permissions:
1. Log in to your domain controller and launch the ADAM tools Command Prompt.
2. Specify a command in the following format: dsacls "CN=Deleted Objects,DC=admanagerplus,

DC=com" /takeownership
Note:
Every domain in a forest will have its own deleted objects container, so it's essential to specify the
domain name of the deleted objects container for which you would like to modify permissions.
Replace admanagerplus and com with your domain components.
3. To grant permission to a security principal to access the deleted objects container, specify a
command in the following format: dsacls "CN=Deleted Objects,DC=admanagerplus,DC=com"
/g ADMANAGERPLUS\LukeJohnson:LCRPWP
6
Note: Replace "LukeJohnson" with the security principal of your choice.
4. Next, connect to the default naming context, right-click on the domain root, and select Properties.
5. In the Security tab, click Advanced.
6. Add the user or group, and select the following rights:

a. Reanimate tombstones
7
b. Create User objects
c. Write all properties
Note: Apply the Reanimate tombstones rights to the object being secured and its descendant objects.
7. Click OK.
Note: Only objects deleted after the delegation of the above-mentioned permissions can be restored.
8
Contact Management
delete contacts in AD.
Operation: Create contacts
Permissions needed:
- Must have the Read and Write permissions on all contact objects of the required OU.
Steps to grant the permissions to create a contact account.
select Delegate Control. The Delegation of Control wizard will pop-up.
5. Select the Only objects in this folder option and select the Contact objects checkbox.
Also select the Create selected objects in this folder option as indicated in the image below:
7. Under the permissions section, select the Read and Write permissions and click on Next.
8. Click Finish.
9
Operation: Modify contacts
Permissions needed:
- Must have the Read, Write, Read All Properties permissions on all user objects of the required OU.
Steps to grant the permissions to modify a contact account.
5. Select the Only objects in this folder option and select the Contact objects option as
7. Under the permissions section, select the Read, Write and Read all properties
permissions and click on Next.
8. Click Finish.
10
Operation: Delete contacts
Permissions needed:
- Must have the Delete All Child objects permission on all contact objects of the required OU.
Steps to grant the permissions to delete a contact account.
4. Select the Create a custom task to delegate option.
5. Select the Only objects in this folder option and select the Contact objects checkbox.
Also select the Delete selected objects in this folder option as depicted in the image below:
7. Under the permissions section, select the Delete all child objects permission and click on Next.
8. Click Finish.
11
Operation: Restore contacts
Permissions needed:
-The users modifying the permissions on the deleted objects container must be a member
Steps to grant the permissions required to restore a deleted AD contact


Note:
12

13
b. Create Contact objects
7. Click OK.
14
Computer Management
delete computers in AD.
Operation: Create computers
Permissions needed:
- Must have the Read and Write permissions on all computer objects of the required OU.
Steps to grant the permissions to create a computer account.
5. Select the Only objects in this folder option and select the Computer objects checkbox.
Also select the Create selected objects in this folder option as indicated in the following image.
8. Click Finish.
15
Operation: Modify computers
Permissions needed:
- Must have the Read, Write, Read All Properties permissions on all computer objects of the required OU.
Steps to grant the permissions to modify a computer account.
5. Select the Only objects in this folder option and select the Computer objects checkbox as
depicted in the image below:
7. Under the permissions section, select the Read, Write and Read all properties
permissions and click on Next.
8. Click Finish.
16
Operation: Delete computers
Permissions needed:
- Must have the Delete All Child objects permission on all computer objects of the required OU.
Steps to grant the permissions to delete a computer account.
5. Select the Only objects in this folder option and select the Computer objects checkbox as
depicted in the image below:
8. Click Finish.
17
Operation: Restore computers
Permissions needed:
Steps to grant the permissions required to restore a deleted AD computer

Note:
18

19
b. Create Computer objects
7. Click OK.
20
Group Management
delete groups in AD.
Operation: Create Groups
Permissions needed:
- Must have the Read and Write permissions on all the group objects of the required OU.
Steps to grant the permissions to create groups.
5. Select the Only objects in this folder option and select the Group objects checkbox.
Also select the Create selected objects in this folder option as depicted in the following image.
8. Click Finish.
21
Operation: Modify Groups
Permissions needed:
- Must have the Read, Write, Read All Properties permissions on all the group objects of the required OU.
Steps to grant the permissions to modify groups.
select Delegate Control. The Delegation of Control wizard will pop-up.
5. Select the Only objects in this folder option and select the Group objects checkbox as
7. Under the permissions section, select the Read, Write and Read all properties permissions
and click on Next.
8. Click Finish.
22
Operation: Delete Groups
Permissions needed:
- Must have the Delete All Child Objects permission on all the group objects of the required OU.
Steps to grant the permissions to delete groups.
4. Select the Create a custom task to delegate option.
5. Select the Only objects in this folder option and select the Group objects checkbox.
Also select the Delete selected objects in this folder option as depicted in the image below:
8. Click Finish.
23
Operation: Restore groups
Permissions needed:
Steps to grant the permissions required to restore a deleted AD group

Note:
24

25
b. Create Group objects
7. Click OK.
26
GPO Management and Reporting
Operation Permissions needed
Create GPOs - Must be a member of the Group Policy Creator Owners group
Enable/disable GPOs - Must have Edit setting permission selected on the GPOs.
Note: To learn how to delegate Edit setting permissions to a

group or user on a GPO, refer to this document.
Enable/disable user configuration - Must have Edit setting permission selected on the GPOs.
settings
Note: To learn how to delegate permissions to a group or user
on a GPO, refer to this document.
Enable/disable computer - Must have Edit setting permission selected on the GPOs.
configuration settings
Note: To learn how to delegate permissions to a group or user
on a GPO, refer to this document.
Enable/disable/remove GPO links - Must select Link GPOs in the Permissions drop-down list.
Note: To learn how to delegate permissions to link group

policy objects, refer to this document.
Edit GPO settings - Must have Edit setting permission selected on the GPOs.
Note: To learn how to delegate permissions to a group or

user on a GPO, refer to this document.
Enforce GPO links - Must select Link GPOs in the Permissions drop-down list.
Note: To learn how to delegate permissions to link group

policy objects, refer to this document.
Reporting - Must have the Read permission on the Site/ Domain/OU

objects (on gPlink attribute).
- Must have the Read permission on the Site/ Domain/OU

objects (on gPOptions attribute).
- Must have the Read permission on the GPO objects (on flags,
versionNumber, modifyTimeStamp, createTimeStamp attributes).
Note: By default, Domain Users group will have these rights to

generate reports. Domain admins and Enterprise admins will
have all the above mentioned rights to perform all
management/reporting operations.
27
AD Reporting
Operations Permissions needed
Generate all AD reports - Must have the View permission in the desired OUs/domains.
Generate all NTFS reports - Must have the Read permission on the relevant folders
Note: Besides the permissions listed above, the Replication Directory Changes permission has to be granted for
effective data synchronization between AD and ADManager Plus if the service account does not have domain
administrative privileges.
File Permission Management

Modify/Remove NTFS permissions - Must have the Read and Write permissions on the
relevant folders
Modify/Remove Share permissions - The share must be reachable from the machine
where ADManager Plus is installed
Exchange Management
Operations Exchange versions Permissions needed
Creating Exchange mailboxes Exchange 2007 - Must have Exchange Recipient Administrator
while creating a corresponding role and Account Operator role.
user account in AD
Exchange 2010 - Must be a part of the Organization
Management group

Management group.
Creating Exchange mailboxes Exchange 2007 - Must have the Exchange Recipient
for existing Active Directory Administrator role and Account Operator role.
users
Management group.

Management group.
28
Setting mailbox rights Exchange 2007 - Must have the Exchange view only
administrator role, Administer information
store permission and write permissions on the
mailbox store where the mailbox is located.

Management group

Management group.
Exchange reporting All versions - Must have the Exchange View

Only Administrator role.
Note: Only enterprise admins can perform cross-forest Exchange management.
Microsoft 365 Management and Reporting

The roles and permissions (minimum scope) required for a service account configured in
ADManager Plus are listed below.
Module Role name Scope
Management User administrator Manage users, contacts, and groups.
Privileged authentication Reset passwords and block or unblock

administrator administrators.
Privileged role admin Manage role assignments in Azure Active Directory.
Exchange administrator Update mailbox properties.
Teams service admin Manage Microsoft Teams.
Reporting Global reader Get reports on all Microsoft 365 services.
Security reader Get read-only access to security features,

sign-in reports, and audit logs.
29
The roles and permissions (minimum scope) required for an Azure Active Directory application configured in
ADManager Plus are listed below.
Module API name Permission Scope
Management Microsoft Graph User.ReadWrite.All User creation, modification, deletion,

and restoration
Group.ReadWrite.All Group creation, modification, deletion, and

restoration; adding or removing members
and owners
Reporting Microsoft Graph User.Read.All Reports on users and group members
Group.Read.All Group reports
Contacts.Read Contact reports
Reports.Read.All Usage reports
Organization.Read.All License detail reports
AuditLog.Read.All Audit log reports
Azure Active Domain.Read.All Domain-based reports

Directory Graph
To know about the prerequisites for configuring a Microsoft 365 account in ADManager Plus, click here.
Active Directory migration

User migration Enterprise admin
30
Google Workspace Management
and Reporting
Management API scopes:

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.domain.
readonly
Reporting API scopes:

https://www.googleapis.com/auth/admin.directory.user
To know about the pre-requisites for configuring a G Suite (Google Apps) account in ADManager Plus, click here.
High Availability Prerequisites

High availability refers to a system or component which aims to ensure an agreed level of operational
performance for a higher than normal period. ADManager Plus helps administrators maintain high
availability for a server in case of failure of the primary server.
ADManager Plus achieves this by employing a high availability architecture which designates a backup
server to act as a shield to the primary server.
The same database is used for both the servers and at any given time, a single server will cater to user
requests and the other will be inactive.
Whenever the primary server runs encounters unplanned downtime, the standby server becomes
operational and takes control of components.
31
Prerequisites:
- Both the primary and the secondary server must be in the same subnet.
- The user account configured in both the services must be a member of the Domain Admins group while
configuring high availability in ADManager Plus.
Note:
Later on, you can remove this user account from the Domain Admins group. However, ensure that this
user account has the NTFS and share permissions on both the primary and the secondary servers along
with C$(admin share).
If you need any further assistance or information, please write to
[email protected] or call us at +1 844 245 1108.
ManageEngine ADManager Plus is a unified management and reporting solution for Active Directory,
Microsoft 365, Exchange, Skype for Business, and Google Workspace. With an intuitive, easy-to-use
interface, ADManager Plus handles a variety of complex tasks and generates an exhaustive list of Active
Directory reports, some of which are essential requirements to satisfy compliance audits. For more
information about ADManager Plus, visit manageengine.com/ad-manager.
Get Quote Download
32

Permissions Required For The Ad Account Configured in Admanager Plus

Uploaded by

Copyright:

Available Formats

Permissions Required For The Ad Account Configured in Admanager Plus

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Permissions Required For The Ad Account Configured in Admanager Plus

Uploaded by

Copyright:

Available Formats

Permissions required

for the AD account configured

iii Delete Users 4

iii Delete Contacts 11

iii Delete Computers 17

iii Delete Groups 23

GPO Management and Reporting 27

File Permission Management 28

Exchange Management and Reporting 28

Microsoft 365 Management and Reporting 29

Active Directory migration 30

Google Workspace Management and Reporting 31

be done by entering the credentials of a user account which has been

granted the necessary permissions in the Domain Settings section

ADManager Plus' Admin tab.

the necessary operations.

to a user account for performing the required operation.

Operation: Create users

4. Select the Create a custom task to delegate option

Steps to grant the permissions to modify a user account.

4. Select the Create a custom task to delegate option

Operation: Delete users

Steps to grant the permissions to delete a user account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions required to restore a deleted AD user

2. Specify a command in the following format: dsacls "CN=Deleted Objects,DC=admanagerplus,

Replace admanagerplus and com with your domain components.

5. In the Security tab, click Advanced.

6. Add the user or group, and select the following rights:

c. Write all properties

Operation: Create contacts

Steps to grant the permissions to create a contact account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions to modify a contact account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions to delete a contact account.

4. Select the Create a custom task to delegate option.

Steps to grant the permissions required to restore a deleted AD contact

2. Specify a command in the following format: dsacls "CN=Deleted Objects,DC=admanagerplus,

Replace admanagerplus and com with your domain components.

5. In the Security tab, click Advanced.

6. Add the user or group, and select the following rights:

c. Write all properties

Operation: Create computers

Steps to grant the permissions to create a computer account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions to modify a computer account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions to delete a computer account.

4. Select the Create a custom task to delegate option

Steps to grant the permissions required to restore a deleted AD computer

2. Specify a command in the following format: dsacls "CN=Deleted Objects,DC=admanagerplus,

Replace admanagerplus and com with your domain components.

5. In the Security tab, click Advanced.

6. Add the user or group, and select the following rights:

c. Write all properties

Operation: Create Groups

Steps to grant the permissions to create groups.

4. Select the Create a custom task to delegate option