Extended Rights Reference

Article
03/08/2010

This page lists all the extended rights available for delegation in Active Directory. These rights have been categorized according to the object (such as the user account object) that the right applies to; each listing includes the extended right name, a brief description, and the object GUID required when writing a script to delegate that right.

addressBookContainer Object

Container for holding members of an address book view.

Open-Address-Book
Extended right checked when opening address book object for address book views.
Object GUID: {a1990816-4298-11d1-ade2-00c04fd8d5cd}

computer Object

This class represents a computer account in the domain.

Allowed-To-Authenticate
The control access right controls who can authenticate to a particular machine or service. It basically lives on computer, user and InetOrgPerson objects. It is also applicable on the domain object if access is allowed for the entire domain we. It can be applied to OU’s to permit users to be able to set inheritable ACE’s on OU’s containing a set of user/computer objects.
Object GUID: {68b1d179-0d15-4d4f-ab71-46152e79a7bc}

Receive-As
Exchange right: allows receiving mail as a given mailbox.
Object GUID: {ab721a56-1e2f-11d0-9819-00aa0040529b}

Send-As
Exchange right: allows sending mail as the mailbox.
Object GUID: {ab721a54-1e2f-11d0-9819-00aa0040529b}

User-Change-Password
Permits changing password on user account.
Object GUID: {ab721a53-1e2f-11d0-9819-00aa0040529b}

User-Force-Change-Password
Permits reseting password on user account.
Object GUID: {00299570-246d-11d0-a768-00aa006e0529}

configuration Object

This is a container that holds the configuration information for a domain.

DS-Replication-Get-Changes
Extended right needed to replicate changes from a given NC.
Object GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Get-Changes-All
Control access right that allows the replication of secret domain data.
Object GUID: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Manage-Topology
Extended right needed to update the replication topology for a given NC.
Object GUID: {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Monitor-Topology
Extended control access right that allows the reading of replication monitoring data, such as replication status and object metadata.
Object GUID: {f98340fb-7c5b-4cdb-a00b-2ebdfa115a96}

DS-Replication-Synchronize
Extended right needed to synchronize replication from a given NC.
Object GUID: {1131f6ab-9c07-11d1-f79f-00c04fc2dcd2}

Generate-RSoP-Logging
The user who has the rights on an OU/Domain will be able to generate logging mode RSoP data for the users/computers within the OU.
Object GUID: {b7b1b3de-ab09-4242-9e30-9980e5d322f7

Generate-RSoP-Planning
The user who has the rights on an OU/Domain will be able to generate planning mode RSoP data for the users/computers within the OU.
Object GUID: {b7b1b3dd-ab09-4242-9e30-9980e5d322f7}

Reanimate-Tombstones
Control access right that allows deleted schema elements to be restored.
Object GUID: {45ec5156-db7e-47bb-b53f-dbeb2d03c40f}

crossRefContainer Object

Holds cross-refs objects for all Naming Contexts.

Change-Domain-Master
Extended right needed to change the domain naming FSMO role owner.
Object GUID: {014bf69c-7b3b-11d1-85f6-08002be74fab}

DS-Execute-Intentions-Script
Control access right, which should be granted to the partitions container, that allows the Rendom.exe or prepare operation to be used in a domain rename. This control access right also appears as an audit-only right when the Redom.exe or execute step operations are performed.
Object GUID: {2f16c4a5-b98e-432c-952a-cb388ba33f2e}

dMD Object

Directory Management Domain. In Active Directory this is the class that holds the schema.

Change-Schema-Master
Extended right needed to change the schema master FSMO role owner.
Object GUID: {e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}

DS-Replication-Get-Changes
Extended right needed to replicate changes from a given NC.
Object GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Get-Changes-All
Control access right that allows the replication of secret domain data.
Object GUID: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Manage-Topology
Extended right needed to update the replication topology for a given NC.
Object GUID: {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Synchronize
Extended right needed to synchronize replication from a given NC.
Object GUID: {1131f6ab-9c07-11d1-f79f-00c04fc2dcd2}

Reanimate-Tombstones
Control access right that allows deleted schema elements to be restored.
Object GUID: {45ec5156-db7e-47bb-b53f-dbeb2d03c40f}

Update-Schema-Cache
Extended right to force a schema cache update.
Object GUID: {be2bb760-7f46-11d2-b9ad-00c04f79f805}

domainDNS Object

Windows NT Domain with DNS-based (DC=) naming.

Add-GUID
Extended right needed at the NC root to add an object with a specific GUID.
Object GUID: {440820ad-65b4-11d1-a3da-0000f875ae0d}

Change-PDC
Extended right needed to change the primary domain controller (PDC) emulator FSMO role owner.
Object GUID: {bae50096-4752-11d1-9052-00c04fc2d4cf}

Create-Inbound-Forest-Trust
Extended control access right that enables users to create an inbound-only trust between forests by adding them to the appropriate group.
Object GUID: {e2a36dc9-ae17-47c3-b58b-be34c55ba633}

DS-Install-Replica
Extended right needed to do a replica install.
Object GUID: {9923a32a-3607-11d2-b9be-0000f87a36b2}

DS-Replication-Get-Changes
Extended right needed to replicate changes from a given NC.
Object GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Get-Changes-All
Control access right that allows the replication of secret domain data.
Object GUID: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Manage-Topology
Extended right needed to update the replication topology for a given NC.
Object GUID: {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}

DS-Replication-Synchronize
Extended right needed to synchronize replication from a given NC.
Object GUID: {1131f6ab-9c07-11d1-f79f-00c04fc2dcd2}

Enable-Per-User-Reversibly-Encrypted-Password
Extended control access right that allows users to enable or disable the “reversible encrypted password” setting for user and computer objects.
Object GUID: {05c74c5e-4deb-43b4-bd9f-86664c2a7fd5}

Migrate-SID-History
Extended right that enables a user to migrate the SID-History without administrator privileges.
Object GUID: {ba33815a-4f93-4c76-87f3-57574bff8109}

Reanimate-Tombstones
Control access right that allows deleted schema elements to be restored.
Object GUID: {45ec5156-db7e-47bb-b53f-dbeb2d03c40f}

Unexpire-Password
Extended control access right that allows a user to restore an expired password for a user object.
Object GUID: {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}

Update-Password-Not-Required-Bit
Extended control access right that allows a user to enable or disable the “password not required” setting for user objects.
Object GUID: {280f369c-67c7-438e-ae98-1d46f3c6f541}

group Object

Stores a list of user names. Used to apply security principals on resources.

Send-To
Exchange right: allows sending to a mailbox.
Object GUID: {ab721a55-1e2f-11d0-9819-00aa0040529b}

groupPolicyContainer Object

This represents the Group Policy Object. It is used to define group polices.

Apply-Group-Policy
Extended right used by Group Policy engine to determine if a GPO applies to a user/computer or not.
Object GUID: {edacfd8f-ffb3-11d1-b41d-00a0c968f939}

inetOrgPerson Object

This class represents an inetOrg person account in the domain.

Receive-As
Exchange right: allows receiving mail as a given mailbox.
Object GUID: {ab721a56-1e2f-11d0-9819-00aa0040529b}

Send-As
Exchange right: allows sending mail as the mailbox.
Object GUID: {ab721a54-1e2f-11d0-9819-00aa0040529b}

User-Change-Password
Permits changing password on user account.
Object GUID: {ab721a53-1e2f-11d0-9819-00aa0040529b}

User-Force-Change-Password
Permits reseting password on user account.
Object GUID: {00299570-246d-11d0-a768-00aa006e0529}

infrastructureUpdate Object

This object represents the infrastucture master for a domain.

Change-Infrastructure-Master
Extended right needed to change the infrastructure FSMO role owner.
cc17b1fb- Object GUID: {33d9-11d2-97d4-00c04fd8d5cd

Domain-Administer-Server
Legacy SAM right.
Object GUID: {ab721a52-1e2f-11d0-9819-00aa0040529b}

msDS-QuotaContainer Object

A special container that holds all quota specifications for the directory database.

DS-Query-Self-Quota
Control access right which allows a user to query the user's own quotas.
Object GUID: {4ecc03fe-ffc0-4947-b630-eb672a8a9dbc}

mSMQConfiguration Object

This object contains MSMQ configuration parameters for a specific computer. The attributes of this class are MSMQ specific, and are used for MSMQ routing decisions.

msmq-Peek-computer-Journal
Allows peeking at messages in the Computer Journal queue.
Object GUID: {4b6e08c3-df3c-11d1-9c86-006008764d0e}

msmq-Peek-Dead-Letter
Allows peeking at messages in the Dead Letter queue.
Object GUID: {4b6e08c1-df3c-11d1-9c86-006008764d0e}

msmq-Receive-computer-Journal
Allows receiving messages from the Computer Journal queue.
Object GUID: {4b6e08c2-df3c-11d1-9c86-006008764d0e}

msmq-Receive-Dead-Letter
Allows receiving messages from the Dead Letter queue.
Object GUID: {4b6e08c0-df3c-11d1-9c86-006008764d0e}

mSMQQueue Object

MSMQ users create queues (by MMC or by MSMQ API) according to their requirements. A queue is associated with a specific computer, and is placed under the MSMQ-Configuration of that computer. There is no limit to the number of queues per computer.

msmq-Peek
Aallows peeking at messages in the queue.
Object GUID: {06bd3201-df3e-11d1-9c86-006008764d0e}

msmq-Receive
Allows receiving messages from the queue.
Object GUID: {06bd3200-df3e-11d1-9c86-006008764d0e}

msmq-Receive-journal
Allows receiving messages from the queue's Journal.
Object GUID: {06bd3203-df3e-11d1-9c86-006008764d0e}

msmq-Send
Allows sending messages to the queue.
Object GUID: {06bd3202-df3e-11d1-9c86-006008764d0e}

ntdsDSA Object

Represents the Active Directory DSA process on the server.

Abandon-Replication:
Extended right needed to cancel a replication sync.
Object GUID: {ee914b82-0a98-11d1-adbb-00c04fd8d5cd}

Allocate-Rids
Extended right needed to request rid pool.
Object GUID: {1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd}

Do-Garbage-Collection
Extended right to force the Directory Service to do garbage collection. Control right to force the Directory Service to do garbage collection.
Object GUID: {fec364e0-0a98-11d1-adbb-00c04fd8d5cd}

DS-Check-Stale-Phantoms
Extended right needed to force DS to check stale phantom objects.
Object GUID: {69ae6200-7f46-11d2-b9ad-00c04f79f805}

Recalculate-Hierarchy
Extended right to force the DS to recalculate the hierarchy.
Object GUID: {0bc1554e-0a99-11d1-adbb-00c04fd8d5cd}

Recalculate-Security-Inheritance
Extended right needed to force DS to recompute ACL inheritance on a Naming Context.
Object GUID: {62dd28a8-7f46-11d2-b9ad-00c04f79f805}

Refresh-Group-Cache
This is for no GC logon. No GC logon relies on caching group memberships and this control access right is used to permission administrators/operators with rights to cause an immediate refresh of the cache, contacting an available G.C.
Object GUID: {9432c620-033c-4db7-8b58-14ef6d0bf477}

organizationalUnit Object

A container for storing users, computers, and other account objects.

pkiCertificateTemplate Object

Contains information for certificate issued by Certificate Server.

Certificate-Enrollment
Extended right needed to cause certificate enrollment.
Object GUID: {0e10c968-78fb-11d2-90d4-00c04f79dc55}

rIDManager Object

Contains the RID FSMO and the RID-Available-Pool location used by the RID Manager. The RID manager is a component running on the DC that is responsible for allocating security identifiers.

Change-Rid-Master
Extended right needed to change the relative identifier (RID) master FSMO role owner.
Object GUID: {d58d5f36-0a98-11d1-adbb-00c04fd8d5cd}

samServer Object

Holds a revision level and a security descriptor that specifies who can make RPC calls through the SAM interface.

SAM-Enumerate-Entire-Domain
This is a special control access right that can be used to restrict who can be allowed to use downlevel API such as NetQueryDisplayInformation and NetUser/GroupEnum and enumerate the entire domain.
Object GUID: {91d67418-0135-4acc-8d79-c08e857cfbec}

site Object

A container for storing server objects. Represents a physical location containing computers. Used to manage replication.

msmq-Open-Connector
Allows to open connector queue.
Object GUID: {b4e60130-df3f-11d1-9c86-006008764d0e}

user Object

This class represents a user account in the domain.

Receive-As
Exchange right: allows receiving mail as a given mailbox.
Object GUID: {ab721a56-1e2f-11d0-9819-00aa0040529b}

Send-As
Exchange right: allows sending mail as the mailbox.
Object GUID: {ab721a54-1e2f-11d0-9819-00aa0040529b}

User-Change-Password
Permits changing password on user account.
Object GUID: {ab721a53-1e2f-11d0-9819-00aa0040529b}

User-Force-Change-Password
Permits reseting password on user account.
Object GUID: {00299570-246d-11d0-a768-00aa006e0529}

Extended Rights Reference

addressBookContainer Object

computer Object

configuration Object

crossRefContainer Object

dMD Object

domainDNS Object

group Object

groupPolicyContainer Object

inetOrgPerson Object

infrastructureUpdate Object

msDS-QuotaContainer Object

mSMQConfiguration Object

mSMQQueue Object

ntdsDSA Object

organizationalUnit Object

pkiCertificateTemplate Object

rIDManager Object

samServer Object

site Object

user Object

Additional resources