|
Last Updated: April 02, 2005
The following list are
the ACLs applied to each delegated OU in the Accounts OU for each delegated
administrative group. The effective rights to users are the permissions granted
minus the permissions that are denied.
Grant to this
object and all child objects:
|
Permission |
ACL Editor
Name |
|
Description |
|
|
|
|
|
|
Create/Delete Child |
groupPolicyContainer Objects |
|
Create/Delete Group Policy Objects |
|
Read/Write
Property |
gPLink |
|
Read/Write
GP Links |
|
Read/Write
Property |
gPOptions |
|
Read/Write
GP Options |
Grant to all
user objects:
|
Permission |
ACL Editor
Name |
|
Description |
|
|
|
|
|
|
List
Contents |
|
|
|
|
Read All
Properties |
|
|
|
|
Write All
Properties |
|
|
|
|
Read
Permissions |
|
|
|
|
All
Validated Rights |
|
|
|
|
All
Extended Rights |
|
|
includes
password change/reset, etc. |
Deny to All
User Objects:
|
Permission |
LDAP
Property Name
(ACL
Editor Name) |
User GUI
Tab |
Description |
|
Write
Property |
displayName |
General |
Display
name
Note: This property is needed to reattach existing
mailboxes. We allow this property for current LSA OUs only. |
|
Write
Property |
userPrincipalName
(Logon
Name) |
Account |
User logon
Name |
|
Write
Property |
sAMAccountName
(Logon
Name(pre-Win2000)) |
Account |
User logon
Name (pre-Windows 2000)
|
|
Write
Property |
userAccountControl |
Account |
Last 8
checkboxes in Account options section including "Account is Disabled"
|
|
Write
Property |
accountExpires |
Account |
Account
expires |
|
Write
Property |
userWorkstations |
Account |
Logon
Workstation |
|
Write
Property |
logonHours |
Account |
Logon
Hours |
|
Write
Property |
homeDrive |
Profile |
Home drive |
|
Write
Property |
homeDirectory |
Profile |
Home
directory |
|
Write
Property |
scriptPath |
Profile |
Login
script |
|
Write
Property |
Cn
|
General |
Name |
|
Write
Property |
givenName
|
General |
First Name |
|
Write
Property |
initials |
General |
Intitials |
|
Write
Property |
Sn
|
General |
Last Name |
|
Write
Property |
telephoneNumber |
General |
Telephone |
|
Write
Property |
otherTelephone |
General |
Telephone |
|
Write
Property |
Web
Information |
General |
Web Page |
|
Write
Property |
homePhone |
Telephones |
Home Phone |
|
Write
Property |
otherHomePhone |
Telephones |
Home Phone |
|
Write
Property |
pager |
Telephones |
Pager |
|
Write
Property |
otherPager |
Telephones |
Pager |
|
Write
Property |
facsimileTelephoneNumber |
Telephones |
Fax |
|
Write
Property |
OtherFacsimileTelephoneNumber |
Telephones |
Fax |
|
Write
Property |
company |
Organization |
Company |
|
Write
Property |
department |
Organization |
Department |
|
Write
Property |
Title
|
Organization |
Title |
|
Write
Property |
altSecurityIdentities |
not in GUI |
Kerberos
Mapping |
|
Write
Property |
umichadHidePersonalInfo |
not in GUI |
Umich
Attributes |
|
Write
Property |
umichadNoBatchUpdates |
not in GUI |
Umich
Attributes |
|
Write
Property |
umichadOU |
not in GUI |
Umich
Attributes |
|
Write
Property |
umichadRole |
not in GUI |
Umich
Attributes |
|
Write
Property |
umichadUMDirTo
ADSyncFlag |
not in GUI |
Umich
Attributes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
