Active Directory object permissions

These permissions are for a special operation on an Active Directory object, where the operation is not necessarily related to read or write access to a particular attribute on that object.

Extended right	Description
Applies to Computers and Users
Receive As Applies to: Computer and User	Exchange right: allows receiving mail as a given mailbox.
Send As Applies to: User, computer, and inetOrgPerson	Exchange right: allows sending mail as the mailbox.
Send To Applies to: Group	Exchange right: allows sending to a mailbox.
Change Password	Permits changing password on user account. You do need to know the original password to be able to make the change.
Reset Password Applies to: User, computer, and inetOrgPerson	Permits resetting password on user account. With this permission, when you reset the password, you do not need to know the original password.
Applies to Domain-DNS
Replicating Directory Changes Applies to: Domain-DNS	Extended right needed to replicate changes from a given NC.
Add/Remove Replica In Domain Applies to: Domain-DNS	Extended right needed to do a replica install.
Add GUID Applies to: Domain-DNS	Extended right needed at the NC root to add an object with a specific GUID.
Change PDC Applies to: Domain-DNS	Extended right needed to change the PDC.
Manage Replication Topology Applies to: Domain-DNS	Extended right needed to update the replication topology for a given NC.
Replication Synchronization Applies to: Domain-DNS, DMD, Configuration	Extended right needed to synchronize replication from a given computer.
Generate Resultant Set of Policy (Logging) Applies to: Domain-DNS, Organizational-Unit	The user who has the rights on an organizational unit or domain will be able to generate logging mode Resultant Set of Policy (RSoP) data for the users/computers within the organizational unit.
Generate Resultant Set of Policy (Planning) Applies to: Domain-DNS, Organizational-Unit	The user who has the rights on an organizational unit or domain will be able to generate planning mode RSoP data for the users or computers within the organizational unit.
Applies to NTDS-DSA
Allocate Rids	Extended right needed to request RID pool.
Do Garbage Collection Applies to: NTDS-DSA	Extended right to force the directory service to do garbage collection. Control right to force the directory service to do garbage collection.
Recalculate Hierarchy Applies to: NTDS-DSA	Extended right to force the directory service to recalculate the hierarchy.
Applies to a Group Policy container
Apply Group Policy	Extended right to determine if a Group Policy object applies or not. For a Group Policy object to apply to a user group or computer, the Apply Group Policy and Read permissions must be set.
Applies to Site
Open Connector Queue	Allows opening connector queue.

A validated write is different from a write permission which does not allow for any value checking. The value checking, or validation, ensures that the value conforms to required semantics, is within a legal range of values, or undergoes some other special checking that would not be performed for a simple low-level write to the property.

Validated write	Description
Add/remove self as member Applies to: Group	Validated write permission to enable one to add or remove one's own account from membership of a group.
Validated write to DNS host name Applies to: Computer	Validated write permission to enable setting of a DNS host name attribute that is compliant with the computer name and domain name.
Validated write to service principal name Applies to: Computer	Validated write permission to enable setting of the SPN attribute which is compliant to the DNS host name of the computer.

A property set consists of a group of related properties (or attributes). Granting access rights to a property set rather than to individual properties greatly improves performance and simplifies security management.

Domain Password

Password and account lockout properties for the domain are stored in the Directory Service as attributes of the domain object. These properties can also be managed through the user interface using the Domain Security Policy Group Policy object, the values are then sychronized to the Directory Service. Password policies as well as all account policies are domainwide and applied to all members of the domain.

Applies to:   Domain

• lockOutObservationWindow
• lockoutDuration
• lockoutThreshold
• maxPwdAge
• minPwdAge
• minPwdLength
• Pwd-Properties

Other Domain Parameters (for use by the security account manager, also called SAM)

Property set permitting control to a list of domain attributes.

Applies to:  Domain

• domainReplica
• forceLogoff
• modifiedCount
• oEMInformation
• serverRole
• serverState
• uASCompat

E-mail Information

Property set that contains user attributes that describe user e-mail information.

Applies to:  Group, User

General Information

Property set containing a set of user attributes that constitute general user information.

Applies to:  User

• Display Name
• adminDescription
• codePage
• CountryCode
• ObjectSid
• primaryGroupID
• sAMAccountName
• sAMAccountType
• sDRightsEffective
• showInAdvancedViewOnly
• sIDHistory
• UID
• comment

Membership

Property set containing user attributes that describe group membership information.

Applies to:  User

• memberOf
• member

Personal Information

Property set containing user attributes that describe personal user information.

Applies to:  Computer, Contact, User

• streetAddress
• homePostalAddress
• assistant
• info
• country/region name
• facsimileTelephoneNumber (fax number)
• International-ISDN-Number
• Locality-Name
• MSMQ-Digests
• mSMQSignCertificates
• Personal-Title
• Phone-Fax-Other
• Phone-Home-Other
• Phone-Home-Primary
• otherIpPhone
• ipPhonenumber
• primaryInternationalISDNNumber Phone-ISDN-Primary
• Phone-Mobile-Other (otherMobile)
• Phone-Mobile-Primary
• Phone-Office-Other (otherTelephone)
• Phone-Pager-Other
• Phone-Pager-Primary
• physicalDeliveryOfficeName
• thumbnailPhoto (Picture)
• postalCode
• preferredDeliveryMethod
• registeredAddress
• State-Or-Province-Name
• Street-Address
• telephoneNumber
• teletexTerminalIdentifier
• telexNumber
• primaryTelexNumber
• userCert
• User-Shared-Folder
• User-Shared-Folder-Other
• userSMIMECertificate
• x121Address
• X509-Cert

Public Information

Property set containing user attributes that describe user public information.

Applies to:  Computer, User

• Additional-Information notes
• Allowed-Attributes
• allowedAttributesEffective
• allowedChildClasses
• allowedChildClassesEffective
• altSecurityIdentities
• Common-Name (cn)
• company
• department
• description
• displayNamePrintable
• division
• E-mail-Addresses
• givenName
• initials
• legacyExchangeDN
• manager
• msDS-Approx-Immed-Subordinates
• msDS-Auxiliary-Classes
• distinguishedName (Obj-Dist-Name)
• Object-Category
• Object-Class
• Object-Guid
• Organization-Name
• Organizational-Unit-Name
• otherMailbox
• Proxy-Addresses
• RDN name
• Reports (directReports)
• servicePrincipalName
• showInAddressBook
• Surname
• System-Flags
• Text-Country/Region
• Title
• userPrincipalName

RAS Information

System Internal: Do not use or modify this right.

Applies to:  User

• msNPAllowDialin
• msNPCallingStationID
• msRADIUSCallbackNumber
• msRADIUSFramedIPAddress
• msRADIUSFramedRoute
• msRADIUSServiceType
• tokenGroups
• Token-Groups-Global-And-Universal

User Account Restrictions

Property set containing user attributes that describe account restrictions.

Applies to:  Computer, User

• accountExpires
• pwdLastSet
• userAccountControl
• userParameters
• tokenGroupsNoGCAcceptable

User Logon

Property set containing user attributes that describe user logon information.

Applies to:  User

• badPwdCount
• homeDirectory
• homeDrive
• lastLogoff
• Last-Logon
• lastLogonTimestamp
• logonCount
• logonHours
• logonWorkstation
• profilePath

Web Information Contact

Property set containing user attributes that describe user web related information.

Applies to:  Web Information Contact, User

• WWWHomePage
• WWW-Page-Other url