Appendix D: Active Directory Extended Rights
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This appendix contains all of the extended rights defined in the Windows 2000 Server and Windows Server 2003 Active Directory schemas. The following table defines the terms used in the tables that describe these rights.
| Item | Description |
|---|---|
CN (Common Name) |
Every object in the DS has a naming attribute from which its relative distinguished name is formed. The naming attribute for control-Access-Right objects is Common-Name. |
Display-Name |
The Common-Name of an object might not be descriptive enough for some users; Display-Name provides a more descriptive name. |
Rights-GUID |
The unique ID for identifying a control access right. |
Applies-to |
A list of GUIDs that represent the objects to which this property set applies. For example, e5209ca2-3bba-11d2-90cc-00c04fd91ab1 refers to PKI-Certificate-Template objects. |
Extended Rights Defined in the Windows 2000 Active Directory Schema
The tables in this section contain extended rights defined in the Windows 2000 Active Directory schema.
Abandon-Replication*
| Item | Description |
|---|---|
Description |
Extended right needed to cancel a replication sync. |
CN |
Abandon-Replication |
Display-Name |
Abandon Replication |
Rights-GUID |
ee914b82-0a98-11d1-adbb-00c04fd8d5cd |
Applies-To |
NTDS-DSA |
* This right is not used.
Add-GUID
| Item | Description |
|---|---|
Description |
Extended right needed at the NC root to add an object with a specific GUID. |
CN |
Add-GUID |
Display-Name |
Add GUID |
Rights-GUID |
440820ad-65b4-11d1-a3da-0000f875ae0d |
Applies-To |
Domain-DNS |
Allocate-RIDs
| Item | Description |
|---|---|
Description |
Extended right needed to request a pool of RIDs. |
CN |
Allocate-RIDs |
Display-Name |
Allocate RIDs |
Rights-GUID |
1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd |
Applies-To |
NTDS-DSA |
Apply-Group-Policy
| Item | Description |
|---|---|
Description |
Extended right used by Group Policy engine to determine whether a GPO applies to a particular user or computer. |
CN |
Apply-Group-Policy |
Display-Name |
Apply Group Policy |
Rights-GUID |
edacfd8f-ffb3-11d1-b41d-00a0c968f939 |
Applies-To |
Group-Policy-Container |
Certificate-Enrollment
| Item | Description |
|---|---|
Description |
Extended right needed to cause certificate enrollment. |
CN |
Certificate-Enrollment |
Display-Name |
Check Stale Phantoms |
Rights-GUID |
69ae6200-7f46-11d2-b9ad-00c04f79f805 |
Applies-To |
PKI-Certificate-Template |
Change-Domain-Master
| Item | Description |
|---|---|
Description |
Extended right needed to change the Domain Master role owner. |
CN |
Change-Domain-Master |
Display-Name |
Change Domain Master |
Rights-GUID |
014bf69c-7b3b-11d1-85f6-08002be74fab |
Applies-To |
Cross-Ref-Container |
Change-Infrastructure-Master
| Item | Description |
|---|---|
Description |
Extended right needed to change the Infrastructure FSMO role owner. |
CN |
Change-Infrastructure-Master |
Display-Name |
Change Infrastructure Master |
Rights-GUID |
cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd |
Applies-To |
Infrastructure-Update |
Change-PDC
| Item | Description |
|---|---|
Description |
Extended right needed to change the PDC Emulator role owner. |
CN |
Change-PDC |
Display-Name |
Change PDC |
Rights-GUID |
bae50096-4752-11d1-9052-00c04fc2d4cf |
Applies-To |
Domain-DNS |
Change-RID-Master
| Item | Description |
|---|---|
Description |
Extended right needed to change the RID-Master role owner. |
CN |
Change-RID-Master |
Display-Name |
Change RID Master |
Rights-GUID |
d58d5f36-0a98-11d1-adbb-00c04fd8d5cd |
Applies-To |
RID-Manager |
Change-Schema-Master
| Item | Description |
|---|---|
Description |
Extended right needed to change the Schema Master FSMO role owner. |
CN |
Change-Schema-Master |
Display-Name |
Change Schema Master |
Rights-GUID |
e12b56b6-0a95-11d1-adbb-00c04fd8d5cd |
Applies-To |
DMD |
Do-Garbage-Collection
| Item | Description |
|---|---|
Description |
Extended right to force the directory service to do garbage collection. |
CN |
Do-Garbage-Collection |
Display-Name |
Do Garbage Collection |
Rights-GUID |
fec364e0-0a98-11d1-adbb-00c04fd8d5cd |
Applies-To |
NTDS-DSA |
Domain-Administer-Server
| Item | Description |
|---|---|
Description |
Legacy SAM right. |
CN |
Domain-Administer-Server |
Display-Name |
Domain Administer Server |
Rights-GUID |
ab721a52-1e2f-11d0-9819-00aa0040529b |
Applies-To |
Sam-Server |
DS-Check-Stale-Phantoms
| Item | Description |
|---|---|
Description |
Extended right needed to force the directory service to check stale phantom objects. |
CN |
DS-Check-Stale-Phantoms |
Display-Name |
Check Stale Phantoms |
Rights-GUID |
69ae6200-7f46-11d2-b9ad-00c04f79f805 |
Applies-To |
NTDS-DSA |
DS-Install-Replica
| Item | Description |
|---|---|
Description |
Extended right needed to do a replica install. |
CN |
DS-Install-Replica |
Display-Name |
Add/Remove Replica In Domain |
Rights-GUID |
9923a32a-3607-11d2-b9be-0000f87a36b2 |
Applies-To |
Domain-DNS |
DS-Replication-Get-Changes
| Item | Description | ||
|---|---|---|---|
Description |
Extended right needed to replicate changes from a given NC.
|
||
CN |
DS-Replication-Get-Changes |
||
Display-Name |
Replicating Directory Changes |
||
Rights-GUID |
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
||
Applies-To |
Configuration DMD Domain-DNS |
.gif "note")
NoteDS-Replication-Manage-Topology
| Item | Description |
|---|---|
Description |
Extended right needed to update the replication topology for a given NC. |
CN |
DS-Replication-Manage-Topology |
Display-Name |
Manage Replication Topology |
Rights-GUID |
1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 |
Applies-To |
Configuration DMD Domain-DNS |
DS-Replication-Synchronize
| Item | Description |
|---|---|
Description |
Extended right needed to synchronize replication from a given NC. |
CN |
DS-Replication-Synchronize |
Display-Name |
Replication Synchronization |
Rights-GUID |
1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 |
Applies-To |
Configuration DMD Domain-DNS |
msmq-Open-Connector
| Item | Description |
|---|---|
Description |
Allows opening the connector queue. |
CN |
msmq-Open-Connector |
Display-Name |
Open Connector Queue |
Rights-GUID |
b4e60130-df3f-11d1-9c86-006008764d0e |
Applies-To |
Site |
msmq-Peek
| Item | Description |
|---|---|
Description |
Allows peeking at messages in the queue. |
CN |
msmq-Peek |
Display-Name |
Peek Message |
Rights-GUID |
06bd3201-df3e-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Queue |
msmq-Peek-computer-Journal
| Item | Description |
|---|---|
Description |
Allows peeking at messages in the Computer Journal queue. |
CN |
Msmq-Peek-computer-Journal |
Display-Name |
Peek Computer Journal |
Rights-GUID |
4b6e08c3-df3c-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Configuration |
msmq-Peek-Dead-Letter
| Item | Description |
|---|---|
Description |
Allows peeking at messages in the Dead Letter queue. |
CN |
Msmq-Peek-Dead-Letter |
Display-Name |
Peek Dead Letter |
Rights-GUID |
4b6e08c1-df3c-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Configuration |
msmq-Receive
| Item | Description |
|---|---|
Description |
Allows receiving messages from the queue. |
CN |
msmq-Receive |
Display-Name |
Receive Message |
Rights-GUID |
06bd3200-df3e-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Queue |
msmq-Receive-computer-Journal
| Item | Description |
|---|---|
Description |
Allows receiving messages from the Computer Journal queue. |
CN |
Msmq-Receive-computer-Journal |
Display-Name |
Receive Computer Journal |
Rights-GUID |
4b6e08c2-df3c-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Configuration |
msmq-Receive-Dead-Letter
| Item | Description |
|---|---|
Description |
Allows receiving messages from the Dead Letter queue. |
CN |
Msmq-Receive-Dead-Letter |
Display-Name |
Receive Dead Letter |
Rights-GUID |
4b6e08c0-df3c-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Configuration |
msmq-Receive-journal
| Item | Description |
|---|---|
Description |
Allows receiving messages from the queue’s Journal. |
CN |
msmq-Receive-journal |
Display-Name |
Receive Journal |
Rights-GUID |
06bd3203-df3e-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Queue |
msmq-Send
| Item | Description |
|---|---|
Description |
Allows sending messages to the queue. |
CN |
msmq-Send |
Display-Name |
Send Message |
Rights-GUID |
06bd3202-df3e-11d1-9c86-006008764d0e |
Applies-To |
MSMQ-Queue |
Open-Address-Book
| Item | Description |
|---|---|
Description |
Extended right checked when opening address book object for address book views. |
CN |
Open-Address-Book |
Display-Name |
Open Address List |
Rights-GUID |
a1990816-4298-11d1-ade2-00c04fd8d5cd |
Applies-To |
Address-Book-Container |
Recalculate-Hierarchy
| Item | Description |
|---|---|
Description |
Extended right to force the DS to recalculate the hierarchy. |
CN |
Recalculate-Hierarchy |
Display-Name |
Recalculate Hierarchy |
Rights-GUID |
0bc1554e-0a99-11d1-adbb-00c04fd8d5cd |
Applies-To |
NTDS-DSA |
Recalculate-Security-Inheritance
| Item | Description |
|---|---|
Description |
Extended right needed to force DS to recompute ACL inheritance on a naming context. |
CN |
Recalculate-Security-Inheritance |
Display-Name |
Recalculate Security Inheritance |
Rights-GUID |
62dd28a8-7f46-11d2-b9ad-00c04f79f805 |
Applies-To |
NTDS-DSA |
Receive-As
| Item | Description |
|---|---|
Description |
Exchange right: allows receiving mail as a given mailbox. |
CN |
Receive-As |
Display-Name |
Receive As |
Rights-GUID |
ab721a56-1e2f-11d0-9819-00aa0040529b |
Applies-To |
Computer User |
Send-As
| Item | Description |
|---|---|
Description |
Exchange right: allows sending mail as the mailbox. |
CN |
Send-As |
Display-Name |
Send As |
Rights-GUID |
ab721a54-1e2f-11d0-9819-00aa0040529b |
Applies-To |
Computer User |
Send-To
| Item | Description |
|---|---|
Description |
Exchange right: allows sending to a mailbox. |
CN |
Send-To |
Display-Name |
Send To |
Rights-GUID |
ab721a55-1e2f-11d0-9819-00aa0040529b |
Applies-To |
Group |
Update-Schema-Cache
| Item | Description |
|---|---|
Description |
Extended right to force a schema cache update. |
CN |
Update-Schema-Cache |
Display-Name |
Update Schema Cache |
Rights-GUID |
be2bb760-7f46-11d2-b9ad-00c04f79f805 |
Applies-To |
DMD |
User-Change-Password
| Item | Description |
|---|---|
Description |
Permits changing password on user account. |
CN |
User-Change-Password |
Display-Name |
Change Password |
Rights-GUID |
ab721a53-1e2f-11d0-9819-00aa0040529b |
Applies-To |
Computer User |
User-Force-Change-Password
| Item | Description |
|---|---|
Description |
Permits resetting password on user account. |
CN |
User-Force-Change-Password |
Display-Name |
Reset Password |
Rights-GUID |
00299570-246d-11d0-a768-00aa006e0529 |
Applies-To |
Computer User |
Windows Server 2003 Active Directory Schema Extended Rights
Allowed-To-Authenticate
| Item | Description |
|---|---|
Description |
This extended right controls who can authenticate to a particular machine or service. It is applied on computer, user and InetOrgPerson objects. It is also applicable on the domain object if access is allowed for the entire domain. It can be applied to OUs to permit users to be able to set inheritable ACEs on OUs containing a set of user/computer objects. |
CN |
Allowed-To-Authenticate |
Display-Name |
Allowed to Authenticate |
Rights-GUID |
68B1D179-0D15-4d4f-AB71-46152E79A7BC |
Applies-To |
Computer inetOrgPerson User |
Create-Inbound-Forest-Trust
| Item | Description |
|---|---|
Description |
Extended right that enables users to create an inbound-only trust between forests by adding them to the appropriate group. |
CN |
Create-Inbound-Forest-Trust |
Display-Name |
Create Inbound Forest Trust |
Rights-GUID |
e2a36dc9-ae17-47c3-b58b-be34c55ba633 |
Applies-To |
Domain-DNS |
DS-Execute-Intentions-Script
| Item | Description |
|---|---|
Description |
Extended right, which should be granted to the partitions container, that allows the Rendom.exe or prepare operation to be used in a domain rename. This control access right also appears as an audit-only right when the Redom.exe or execute step operations are performed. |
CN |
DS-Execute-Intentions-Script |
Display-Name |
Execute Forest Update Script |
Rights-GUID |
2f16c4a5-b98e-432c-952a-cb388ba33f2e |
Applies-To |
Cross-Ref-Container |
DS-Query-Self-Quota
| Item | Description |
|---|---|
Description |
Control access right which allows a user to query the user’s own quotas. |
CN |
DS-Query-Self-Quota |
Display-Name |
Query Self Quota |
Rights-GUID |
4ecc03fe-ffc0-4947-b630-eb672a8a9dbc |
Applies-To |
ms-DS-Quota-Container |
DS-Replication-Get-Changes
| Item | Description | ||
|---|---|---|---|
Description |
Extended right needed to replicate only those changes from a given NC that are also replicated to the Global Catalog (which excludes secret domain data). This constraint is only meaningful for Domain NCs.
|
||
CN |
DS-Replication-Get-Changes |
||
Display-Name |
Replicating Directory Changes |
||
Rights-GUID |
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
||
Applies-To |
Configuration DMD Domain-DNS |
DS-Replication-Get-Changes-All
| Item | Description | ||
|---|---|---|---|
Description |
Control access right that allows the replication of all data in a given replication NC, including secret domain data.
|
||
CN |
DS-Replication-Get-Changes-All |
||
Display-Name |
Replicating Directory Changes All |
||
Rights-GUID |
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 |
||
Applies-To |
Configuration DMD Domain-DNS |
DS-Replication-Monitor-Topology
| Item | Description |
|---|---|
Description |
Extended control access right that allows the reading of replication monitoring data, such as replication status and object metadata. |
CN |
DS-Replication-Monitor-Topology |
Display-Name |
Monitor Active Directory Replication |
Rights-GUID |
f98340fb-7c5b-4cdb-a00b-2ebdfa115a96 |
Applies-To |
Configuration DMD Domain-DNS |
Enable-Per-User-Reversibly-Encrypted-Password
| Item | Description |
|---|---|
Description |
Extended right that allows users to enable or disable the “reversible encrypted password” setting for user and computer objects. |
CN |
Enable-Per-User-Reversibly-Encrypted-Password |
Display-Name |
Enable Per User Reversibly Encrypted Password |
Rights-GUID |
05c74c5e-4deb-43b4-bd9f-86664c2a7fd5 |
Applies-To |
Domain-DNS |
Generate-RSoP-Logging
| Item | Description |
|---|---|
Description |
The user who has this right on an OU/Domain will be able to generate logging mode RSoP data for the users/computers within the OU. |
CN |
Generate-RSoP-Logging |
Display-Name |
Generate Resultant Set of Policy (Logging) |
Rights-GUID |
b7b1b3de-ab09-4242-9e30-9980e5d322f7 |
Applies-To |
Domain-DNS Organizational-Unit |
Generate-RSoP-Planning
| Item | Description |
|---|---|
Description |
The user who has this right on an OU/Domain will be able to generate planning mode RSoP data for the users/computers within the OU. |
CN |
Generate-RSoP-Planning |
Display-Name |
Generate Resultant Set of Policy (Planning) |
Rights-GUID |
b7b1b3dd-ab09-4242-9e30-9980e5d322f7 |
Applies-To |
Domain-DNS Organizational-Unit |
Migrate-SID-History
| Item | Description |
|---|---|
Description |
Extended right that enables a user to migrate the SID-History without administrator privileges. |
CN |
Migrate-SID-History |
Display-Name |
Migrate SID History |
Rights-GUID |
BA33815A-4F93-4c76-87F3-57574BFF8109 |
Applies-To |
Domain-DNS |
Reanimate-Tombstones
| Item | Description |
|---|---|
Description |
Extended right that allows deleted schema elements to be restored. |
CN |
Reanimate-Tombstones |
Display-Name |
Reanimate Tombstones |
Rights-GUID |
45EC5156-DB7E-47bb-B53F-DBEB2D03C40F |
Applies-To |
Configuration DMD Domain-DNS |
Refresh-Group-Cache
| Item | Description |
|---|---|
Description |
For Universal group membership caching. Universal group membership caching relies on caching group memberships and this control access right is used to provide administrators/operators with rights to cause an immediate refresh of the cache, contacting an available global catalog server. |
CN |
Refresh-Group-Cache |
Display-Name |
Refresh Group Cache for Logons |
Rights-GUID |
9432c620-033c-4db7-8b58-14ef6d0bf477 |
Applies-To |
NTDS-DSA |
Valid-Accesses |
0x100 |
Localization-Display-ID |
56 |
SAM-Enumerate-Entire-Domain
| Item | Description |
|---|---|
Description |
This extended right is used to restrict who can be allowed to use down-level APIs such as NetQueryDisplayInformation and NetUser/GroupEnum and enumerate the entire domain. |
CN |
SAM-Enumerate-Entire-Domain |
Display-Name |
Enumerate Entire SAM Domain |
Rights-GUID |
91d67418-0135-4acc-8d79-c08e857cfbec |
Applies-To |
Sam-Server |
Unexpire-Password
| Item | Description |
|---|---|
Description |
Extended right that allows a user to restore an expired password for a user object. |
CN |
Unexpire-Password |
Display-Name |
Unexpire Password |
Rights-GUID |
ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501 |
Applies-To |
Domain-DNS |
Update-Password-Not-Required-Bit
| Item | Description |
|---|---|
Description |
Extended right that allows a user to enable or disable the “password not required” setting for user objects. |
CN |
Update-Password-Not-Required-Bit |
Display-Name |
Update Password Not Required Bit |
Rights-GUID |
280f369c-67c7-438e-ae98-1d46f3c6f541 |
Applies-To |
Domain-DNS |