Active Directory object permissions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Active Directory object permissions
Extended rights
Validated writes
Property sets
Extended rights
These permissions are for a special operation on an Active Directory object, where the operation is not necessarily related to read or write access to a particular attribute on that object.
| Extended right | Description |
|---|---|
Applies to Computers and Users |
|
Receive As Applies to: Computer and User |
Exchange right: allows receiving mail as a given mailbox. |
Send As Applies to: User, computer, and inetOrgPerson |
Exchange right: allows sending mail as the mailbox. |
Send To Applies to: Group |
Exchange right: allows sending to a mailbox. |
Change Password |
Permits changing password on user account. You do need to know the original password to be able to make the change. |
Reset Password Applies to: User, computer, and inetOrgPerson |
Permits resetting password on user account. With this permission, when you reset the password, you do not need to know the original password. |
Applies to Domain-DNS |
|
Replicating Directory Changes Applies to: Domain-DNS |
Extended right needed to replicate changes from a given NC. |
Add/Remove Replica In Domain Applies to: Domain-DNS |
Extended right needed to do a replica install. |
Add GUID Applies to: Domain-DNS |
Extended right needed at the NC root to add an object with a specific GUID. |
Change PDC Applies to: Domain-DNS |
Extended right needed to change the PDC. |
Manage Replication Topology Applies to: Domain-DNS |
Extended right needed to update the replication topology for a given NC. |
Replication Synchronization Applies to: Domain-DNS, DMD, Configuration |
Extended right needed to synchronize replication from a given computer. |
Generate Resultant Set of Policy (Logging) Applies to: Domain-DNS, Organizational-Unit |
The user who has the rights on an organizational unit or domain will be able to generate logging mode Resultant Set of Policy (RSoP) data for the users/computers within the organizational unit. |
Generate Resultant Set of Policy (Planning) Applies to: Domain-DNS, Organizational-Unit |
The user who has the rights on an organizational unit or domain will be able to generate planning mode RSoP data for the users or computers within the organizational unit. |
Applies to NTDS-DSA |
|
Allocate Rids |
Extended right needed to request RID pool. |
Do Garbage Collection Applies to: NTDS-DSA |
Extended right to force the directory service to do garbage collection. Control right to force the directory service to do garbage collection. |
Recalculate Hierarchy Applies to: NTDS-DSA |
Extended right to force the directory service to recalculate the hierarchy. |
Applies to a Group Policy container |
|
Apply Group Policy |
Extended right to determine if a Group Policy object applies or not. For a Group Policy object to apply to a user group or computer, the Apply Group Policy and Read permissions must be set. |
Applies to Site |
|
Open Connector Queue |
Allows opening connector queue. |
Validated writes
A validated write is different from a write permission which does not allow for any value checking. The value checking, or validation, ensures that the value conforms to required semantics, is within a legal range of values, or undergoes some other special checking that would not be performed for a simple low-level write to the property.
| Validated write | Description |
|---|---|
Add/remove self as member Applies to: Group |
Validated write permission to enable one to add or remove one's own account from membership of a group. |
Validated write to DNS host name Applies to: Computer |
Validated write permission to enable setting of a DNS host name attribute that is compliant with the computer name and domain name. |
Validated write to service principal name Applies to: Computer |
Validated write permission to enable setting of the SPN attribute which is compliant to the DNS host name of the computer. |
Property sets
A property set consists of a group of related properties (or attributes). Granting access rights to a property set rather than to individual properties greatly improves performance and simplifies security management.
Domain Password
Password and account lockout properties for the domain are stored in the Directory Service as attributes of the domain object. These properties can also be managed through the user interface using the Domain Security Policy Group Policy object, the values are then sychronized to the Directory Service. Password policies as well as all account policies are domainwide and applied to all members of the domain.
Applies to: Domain
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
Pwd-Properties
Other Domain Parameters (for use by the security account manager, also called SAM)
Property set permitting control to a list of domain attributes.
Applies to: Domain
domainReplica
forceLogoff
modifiedCount
oEMInformation
serverRole
serverState
uASCompat
E-mail Information
Property set that contains user attributes that describe user e-mail information.
Applies to: Group, User
General Information
Property set containing a set of user attributes that constitute general user information.
Applies to: User
Display Name
adminDescription
codePage
CountryCode
ObjectSid
primaryGroupID
sAMAccountName
sAMAccountType
sDRightsEffective
showInAdvancedViewOnly
sIDHistory
UID
comment
Membership
Property set containing user attributes that describe group membership information.
Applies to: User
memberOf
member
Personal Information
Property set containing user attributes that describe personal user information.
Applies to: Computer, Contact, User
streetAddress
homePostalAddress
assistant
info
country/region name
facsimileTelephoneNumber (fax number)
International-ISDN-Number
Locality-Name
MSMQ-Digests
mSMQSignCertificates
Personal-Title
Phone-Fax-Other
Phone-Home-Other
Phone-Home-Primary
otherIpPhone
ipPhonenumber
primaryInternationalISDNNumber Phone-ISDN-Primary
Phone-Mobile-Other (otherMobile)
Phone-Mobile-Primary
Phone-Office-Other (otherTelephone)
Phone-Pager-Other
Phone-Pager-Primary
physicalDeliveryOfficeName
thumbnailPhoto (Picture)
postalCode
preferredDeliveryMethod
registeredAddress
State-Or-Province-Name
Street-Address
telephoneNumber
teletexTerminalIdentifier
telexNumber
primaryTelexNumber
userCert
User-Shared-Folder
User-Shared-Folder-Other
userSMIMECertificate
x121Address
X509-Cert
Public Information
Property set containing user attributes that describe user public information.
Applies to: Computer, User
Additional-Information notes
Allowed-Attributes
allowedAttributesEffective
allowedChildClasses
allowedChildClassesEffective
altSecurityIdentities
Common-Name (cn)
company
department
description
displayNamePrintable
division
E-mail-Addresses
givenName
initials
legacyExchangeDN
manager
msDS-Approx-Immed-Subordinates
msDS-Auxiliary-Classes
distinguishedName (Obj-Dist-Name)
Object-Category
Object-Class
Object-Guid
Organization-Name
Organizational-Unit-Name
otherMailbox
Proxy-Addresses
RDN name
Reports (directReports)
servicePrincipalName
showInAddressBook
Surname
System-Flags
Text-Country/Region
Title
userPrincipalName
RAS Information
System Internal: Do not use or modify this right.
Applies to: User
msNPAllowDialin
msNPCallingStationID
msRADIUSCallbackNumber
msRADIUSFramedIPAddress
msRADIUSFramedRoute
msRADIUSServiceType
tokenGroups
Token-Groups-Global-And-Universal
User Account Restrictions
Property set containing user attributes that describe account restrictions.
Applies to: Computer, User
accountExpires
pwdLastSet
userAccountControl
userParameters
tokenGroupsNoGCAcceptable
User Logon
Property set containing user attributes that describe user logon information.
Applies to: User
badPwdCount
homeDirectory
homeDrive
lastLogoff
Last-Logon
lastLogonTimestamp
logonCount
logonHours
logonWorkstation
profilePath
Web Information Contact
Property set containing user attributes that describe user web related information.
Applies to: Web Information Contact, User
WWWHomePage
WWW-Page-Other url