Export (0) Print
Expand All

Appendix C: Default Permissions for a Computer Object

The default permissions for an Active Directory Computer object in Windows Server 2003 are:

Account operators

  • Full control

Domain administrators

  • Full control

System

  • Full control

Authenticated users

  • Read, Read Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information
  • Special: List contents, Read All Properties, Read Permissions

Creator owner

  • Read, Allowed to authenticate, Change Password, Receive As, Reset Password, Send As, Validated write to DNS host name, Validated write to service principal name, Read Account Restrictions, Write Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information
  • Special: List contents, Read All properties, Delete, Delete Subtree, Read Permissions, All Extended rights, Allowed to authenticate, change password, receive as, reset password, Send As
  • Write Account Restrictions
  • Validated Write to DNS host name
  • Validated Write to service principal name
  • Write computer name (pre-Windows 2000)
  • Write description

Everyone

  • Change password

Print operator

  • Create/Delete printer objects

Self

  • Create All Child Objects
  • Delete All Child Objects
  • Various other applicationVersion and property objects
  • Validated write to service principal name
  • Read/write personal information
  • Validated write to DNS host name

Windows Authorization Access Group

  • Read property (tokenGroupsGlobalAndUniversal)

Cert Publishers

  • Read userCertificate
  • Write userCertificate
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft