3.1.1.5.4.1.1 Security Considerations
For originating updates, the requester must have all the following permissions to perform a Modify DN operation. If the security check does not succeed, the server returns the error insufficientAccessRights / ERROR_DS_INSUFF_ACCESS_RIGHTS.
The security context of the requester must be granted rights RIGHT_DS_WRITE_PROPERTY permission on O!name to perform move or rename operation.
For a move operation, the requester must be granted right RIGHT_DS_CREATE_CHILD on NP for the objectClass of the object being added.
For a move operation, the requester must be granted rights RIGHT_DELETE on O, or must be granted right RIGHT_DS_DELETE_CHILD on P.
In AD DS, if O is within the config NC or schema NC and the RM control field of the security descriptor of the object has the SECURITY_PRIVATE_OBJECT bit set, the requester must be the owner of the object to perform this operation.
No access check is performed for replicated updates.