Appendix C: Active Directory Standard Permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following table contains standard permissions for Active Directory.

Permission Definition

Create Child (CC)

This permission controls the ability to create child objects under an object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child objects.

Standard Delete (SD)

This permission controls the ability to delete an object. If a user has this permission on an object, these permissions are sufficient to delete the object; Delete Child permissions are not necessary on the parent object.

Delete Child (DC)

This permission controls the ability to delete child objects under an object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.

Delete Tree (DT)

This permission controls the ability to delete all child objects of an object, regardless of the permissions of the children.

Read-Property (RP)

This permission controls the ability to read the properties of an object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties.

Write-Property (WP)

This permission controls the ability to write the properties of an object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties.

Write Owner (WO)

This permission controls the ability to assume ownership of the object.

Write DACL (WD)

This permission controls the ability to modify the discretionary access-control list (DACL) in the object’s security descriptor.

Read Control (RC)

This permission controls the ability to read data from the security descriptor of the object, not including the data in the SACL. Thus, a user granted this right can read the Owner, Primary Group and DACL fields in the object’s security descriptor.

List Child (LC)

This permission controls the ability to list children of an object. For more information about this right, see Controlling Object Visibility in the MSDN Library on the Web at http://go.microsoft.com/fwlink/?LinkID=19828.

List Object (LO)

This permission controls the ability to list a particular object. If the user is not granted such a right, and the user does not have List Child set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is ‘0’ or not set. For more information about this right, see Controlling Object Visibility in the MSDN Library on the Web at http://go.microsoft.com/fwlink/?LinkID=19828.

Control Access (CR)

This permission controls the ability to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object. For a detailed description of all Active Directory extended rights, see Appendix D: Active Directory Extended Rights.

Validated Write (SW)

This permission controls the ability to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object.

There are three validated writes:

  • Self-Membership

    This permission allows a user to update the membership of a group in terms of adding/removing one’s own account. Rights GUID: bf9679c0-0de6-11d0-a285-00aa003049e2.

    noteNote
    If users have the Write Property permission on the Member attribute of the group object, the Self-Membership permission is not necessary; in that case, users can add or remove anyone (including themselves) from the group.
  • Validated-DNS-Host-Name

    This permission allows setting a DNS host name attribute (for a computer) that is compliant with the computer name and domain name. Rights GUID: 72e39547-7b18-11d1-adef-00c04fd8d5cd.

  • Validated-SPN

    This permission allows setting a SPN attribute (for a computer) which is compliant to the DNS host name of the computer. Rights GUID: f3a64788-5306-11d1-a9c5-0000f80367c1.