Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following table contains standard permissions for Active Directory.
| Permission | Definition | ||
|---|---|---|---|
Create Child (CC) |
This permission controls the ability to create child objects under an object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child objects. |
||
Standard Delete (SD) |
This permission controls the ability to delete an object. If a user has this permission on an object, these permissions are sufficient to delete the object; Delete Child permissions are not necessary on the parent object. |
||
Delete Child (DC) |
This permission controls the ability to delete child objects under an object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types. |
||
Delete Tree (DT) |
This permission controls the ability to delete all child objects of an object, regardless of the permissions of the children. |
||
Read-Property (RP) |
This permission controls the ability to read the properties of an object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties. |
||
Write-Property (WP) |
This permission controls the ability to write the properties of an object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties. |
||
Write Owner (WO) |
This permission controls the ability to assume ownership of the object. |
||
Write DACL (WD) |
This permission controls the ability to modify the discretionary access-control list (DACL) in the object’s security descriptor. |
||
Read Control (RC) |
This permission controls the ability to read data from the security descriptor of the object, not including the data in the SACL. Thus, a user granted this right can read the Owner, Primary Group and DACL fields in the object’s security descriptor. |
||
List Child (LC) |
This permission controls the ability to list children of an object. For more information about this right, see Controlling Object Visibility in the MSDN Library on the Web at https://go.microsoft.com/fwlink/?LinkID=19828. |
||
List Object (LO) |
This permission controls the ability to list a particular object. If the user is not granted such a right, and the user does not have List Child set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is ‘0’ or not set. For more information about this right, see Controlling Object Visibility in the MSDN Library on the Web at https://go.microsoft.com/fwlink/?LinkID=19828. |
||
Control Access (CR) |
This permission controls the ability to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object. For a detailed description of all Active Directory extended rights, see Appendix D: Active Directory Extended Rights. |
||
Validated Write (SW) |
This permission controls the ability to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object. There are three validated writes:
|
.gif "note")
Note