Validated Writes

In Active Directory, write access to an object's attributes is controlled by using the RIGHT_DS_WRITE_PROPERTY (WP) access right. However, that would allow any value that is permissible by the attribute schema to be written to the attribute with no value checking performed. There are cases where validation of the attribute values being written, beyond that required by the schema, is necessary before writing them to an object in order to maintain integrity constraints. Active Directory extends the standard access control mechanism to allow such additional validation semantics to be incorporated by using a mechanism called "validated write rights". The attributes to which the validated write rights apply, and the specific validations performed, are specified in section

A validated write right is not identified by a specific bit in an access mask as the standard access rights are. Instead, each validated write right is identified by a GUID. This GUID is the value of the schemaIDGUID attribute from the attributeSchema object of the attribute where the validated write is defined. An ACE that grants or denies a validated write right specifies the RIGHT_DS_WRITE_PROPERTY_EXTENDED (VW) bit in the ACCESS_MASK field and the GUID identifying the particular validated write right in the ObjectType field of the ACE. If the ObjectType field does not contain a GUID, the ACE is deemed to control the right to perform all validated write operations associated with the object. As with control access rights, each validated write right is represented by an object of class controlAccessRight in the Extended-Rights container for convenience and easy identification by Active Directory administrative tools. Note that these objects are not integral to evaluating access to an update operation and, therefore, their presence is not required for the proper functioning of the access control mechanism. The predefined list of validated write rights in Active Directory cannot be extended by application developers.

The attributes to which the validated write rights apply to, and the specific validations performed, are specified in section The following table summarizes the validated write rights, and the corresponding GUID value identifying each right, that can be specified in an ACE that is supported by applicable Windows Server releases.

The table contains information for the following products. See section 3 for more information.

  • A --> Windows 2000 operating system

  • D --> Windows Server 2003 operating system

  • DR2 --> Windows Server 2003 R2 operating system

  • K --> Windows Server 2008 operating system AD DS

  • L --> Windows Server 2008 AD LDS

  • N --> Windows Server 2008 R2 operating system AD DS

  • P --> Windows Server 2008 R2 AD LDS

  • S --> Windows Server 2012 operating system AD DS

  • T --> Windows Server 2012 AD LDS

  • V --> Windows Server 2012 R2 operating system AD DS

  • W --> Windows Server 2012 R2 AD LDS

  • Y --> Windows Server 2016 operating system AD DS

  • Z --> Windows Server 2016 AD LDS

  • B2 --> Windows Server v1709 operating system AD DS

  • C2 --> Windows Server v1709 AD LDS

  • E2 --> Windows Server v1803 operating system AD DS

  • F2 --> Windows Server v1803 AD LDS

  • H2 --> Windows Server v1809 operating system AD DS

  • I2 --> Windows Server v1809 AD LDS

  • K2 --> Windows Server 2019 operating system AD DS

  • L2 --> Windows Server 2019 AD LDS

    Validated write right symbol

    Identifying GUID used in ACE

    A, D, DR2

    K, N

    L, P

    S, V, Y, B2, E2, H2, K2

    T, W, Z, C2, F2, I2, L2


    bf9679c0-0de6-11d0-a285-00aa003049e2 (member attribute)







    72e39547-7b18-11d1-adef-00c04fd8d5cd (dNSHostName attribute)





    80863791-dbe9-4eb8-837e-7f0ab55d9ac7 (msDS-AdditionalDnsHostName attribute)



    d31a8757-2447-4545-8081-3bb610cacbf2(msDS-Behavior-Version attribute)



    f3a64788-5306-11d1-a9c5-0000f80367c1 (servicePrincipalName attribute)