3.1.1.5.3.1 Security Considerations

  • Article

For originating updates, the following access checks are performed. No access checks are performed for replicated updates.

The requester needs to have RIGHT_DS_WRITE_PROPERTY access to all attributes being directly affected by the modify operation. Note that some attributes can be modified indirectly as a result of triggers and processing rules. The requester is not required to have write access to those attributes.

If any attributes being directly modified are marked in the schema as partition secrets (see the SE flag in section 2.2.9), the requester MUST have the control access right DS-Write-Partition-Secrets on the root object of the naming context to which the modified object belongs.

  • Additional access checks might apply if the nTSecurityDescriptor value is being modified. See "Security Descriptor Requirements", section 6.1.3, for more details.

If the modify operation represents an Undelete operation, then additional security checks apply (see the Undelete operation in section 3.1.1.5.3.7).

If the msDS-AllowedToDelegateTo attribute is modified, then the requester MUST possess SE_ENABLE_DELEGATION_PRIVILEGE.

In AD LDS, if a password value is being modified as a password change operation, then the requester needs to have the User-Change-Password control access right on the object being modified. A password change operation is defined as removing the old password value and adding the new password value, where the old password value matches the current password on the object.

In AD LDS, if a password value is being modified as a password reset operation, then the requester needs to have the User-Force-Change-Password control access right on the object being modified. A password reset operation is defined as a replace operation on the password attribute.

In AD LDS, if a password unexpire operation is being performed, then the requester needs to have the Unexpire-Password control access right on the object being modified. A password unexpire operation is defined as setting the pwdLastSet attribute to the value -1.