Appendix A: Active Directory Administrative Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This appendix is a comprehensive list of Active Directory® directory service administrative tasks for service administration and data administration, along with the permissions required to perform each task.
The permissions in this appendix are referred to by Security Descriptor Definition Language (SDDL) mnemonics. The following table maps the SDDL to the corresponding permissions and to the name by which these permissions are displayed in the ACL Editor.
SDDL Mappings for Active Directory Permissions
| SDDL | Permission | Name in ACL Editor |
|---|---|---|
RC |
Read Control |
No specific mapping |
SD |
Standard Delete |
Delete |
WD |
Write DACL |
Modify Permissions |
WO |
Write Owner |
Modify Owner |
RP |
Read Property |
Read All Properties Read <specific property> |
WP |
Write Property |
Write All Properties Write <specific property> |
CC |
Create Child |
Create <class of object> |
DC |
Delete Child |
Delete <class of object> |
LC |
List Child |
List Contents |
SW |
Validated Write |
Self-Membership Validated-DNS-Host-Name Validated-SPN |
LO |
List Object |
List Object |
DT |
Delete Tree |
Delete Subtree |
CR |
Extended Right |
Referred to by specific Extended Right name – see Appendix D: Active Directory Extended Rights for more details |
For more information about SDDL, see the Microsoft Platform Software Development Kit (SDK) link on the on at https://msdn2.microsoft.com/EN-US/library/aa379567.aspx.
All classes and attributes in this table are referred to by their Common-Name.
Active Directory Attributes and Classes
Active Directory attributes and classes can be referred to by any of three types of names:
CN (Common-Name) — Every object in the DS has a naming attribute from which its Relative Distinguished Name (also known as RDN) is formed. (The Naming Attribute for most Class-Schema objects is Common-Name.)
LDAP-Display-Name — The name of a class/attribute as known to the LDAP agent for the NTDS.
Display-Name — A relatively more descriptive version of the Common-Name of a given object that the administration tools use to refer to the class/object.
Some attributes have Display Names defined while others do not. The base set of administration tools (ACL Editor) refers to classes/attributes by their Display-Name, if one exists for the class/attribute. If a class/attribute does not have a Display-Name defined, then the UI uses the LDAP-display name.
To determine the equivalent display names used in the ACL Editor, see Appendix H: Active Directory Display Name Mappings.
To learn more about how to use the ACL Editor and other Delegation Tools, see Appendix G: Active Directory Delegation Tools.