Sophos Active Directory Sync - What rights are needed?

Question

Hello. 
 
 I've been getting errors from Sophos AD Sync lately, I suspect it is because I removed the service account from the Domain Admins group. The help file - https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/ActiveDirectorySyncSetup.html - says " On the AD Configuration page, specify your Active Directory LDAP server and credentials for a user account that has read access to the entire Active Directory forest with which you want to synchronize. To stay secure, use an account with the least rights that will give this access." But it does not say what rights are actually needed? 
 
 We have only a single domain in our enterprise. I do not want to leave this account as a member of Domain / Enterprise Admins. 
 
 What rights are sufficient for this account? 
 
 Thanks.

Jasmin · Accepted Answer

Hi bryangritton 
 I have discussed this with my team and they have asked for the below permissions to have on the machine where AD sync utility is installed. 
 
 Change the log on user to an account that does. 
 On the system where ad sync is installed:
 
 Rights to logon as a service 
 Rights to interactive logon 
 Rights to log on as a batch 
 NTFS full permissions on c:\programdata\sophos\sophos cloud ad sync 
 The account would need rights to read OU on DC that you want to sync.

It advised that domain admin user is the recommended to avoid any mess.