Export (0) Print
Expand All

Appendix A: Active Directory Administrative Tasks

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This appendix is a comprehensive list of Active Directory® directory service administrative tasks for service administration and data administration, along with the permissions required to perform each task.

The permissions in this appendix are referred to by Security Descriptor Definition Language (SDDL) mnemonics. The following table maps the SDDL to the corresponding permissions and to the name by which these permissions are displayed in the ACL Editor.

SDDL Mappings for Active Directory Permissions

SDDL Permission Name in ACL Editor

RC

Read Control

No specific mapping

SD

Standard Delete

Delete

WD

Write DACL

Modify Permissions

WO

Write Owner

Modify Owner

RP

Read Property

Read All Properties

Read <specific property>

WP

Write Property

Write All Properties

Write <specific property>

CC

Create Child

Create <class of object>

DC

Delete Child

Delete <class of object>

LC

List Child

List Contents

SW

Validated Write

Self-Membership

Validated-DNS-Host-Name

Validated-SPN

LO

List Object

List Object

DT

Delete Tree

Delete Subtree

CR

Extended Right

Referred to by specific Extended Right name – see Appendix D: Active Directory Extended Rights for more details

For more information about SDDL, see the Microsoft Platform Software Development Kit (SDK) link on the on at http://msdn2.microsoft.com/EN-US/library/aa379567.aspx.

All classes and attributes in this table are referred to by their Common-Name.

Active Directory Attributes and Classes

Active Directory attributes and classes can be referred to by any of three types of names:

  • CN (Common-Name) — Every object in the DS has a naming attribute from which its Relative Distinguished Name (also known as RDN) is formed. (The Naming Attribute for most Class-Schema objects is Common-Name.)

  • LDAP-Display-Name — The name of a class/attribute as known to the LDAP agent for the NTDS.

  • Display-Name — A relatively more descriptive version of the Common-Name of a given object that the administration tools use to refer to the class/object.

Some attributes have Display Names defined while others do not. The base set of administration tools (ACL Editor) refers to classes/attributes by their Display-Name, if one exists for the class/attribute. If a class/attribute does not have a Display-Name defined, then the UI uses the LDAP-display name.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft