Directory Services Access Rights
Each Active Directory object has a security descriptor assigned to it. A set of trustee rights specific to directory service objects can be set within these security descriptors. These rights are listed in the following table. For more information, see Control Access Rights.
||Open a DS object.
||Create a child DS object.
||Delete a child DS object.
||Enumerate a DS object.
||Read the properties of a DS object.
||Write properties for a DS object.
||Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
||Delete a tree of DS objects.
||List a tree of DS objects.
||Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.