Default AD DS Permissions for a Computer Object

Applies To: Windows 7, Windows Server 2008 R2

The default permissions for an Active Directory computer object in Windows Server 2008 and Windows Server 2008 R2 are:

Account operators

  • Full control

Domain administrators

  • Full control

System

  • Full control

Authenticated users

  • Read, Read Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information

  • Special: List contents, Read All Properties, Read Permissions

Creator owner

  • Read, Allowed to authenticate, Change Password, Receive As, Reset Password, Send As, Validated write to DNS host name, Validated write to service principal name, Read Account Restrictions, Write Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information

  • Special: List contents, Read All properties, Delete, Delete Subtree, Read Permissions, All Extended rights, Allowed to authenticate, change password, receive as, reset password, Send As

  • Write Account Restrictions

  • Validated Write to DNS host name

  • Validated Write to service principal name

  • Write computer name (pre-Windows 2000)

  • Write description

Everyone

  • Change password

Print operator

  • Create/Delete printer objects

Self

  • Create All Child Objects

  • Delete All Child Objects

  • Various other applicationVersion and property objects

  • Validated write to service principal name

  • Read/write personal information

  • Validated write to DNS host name

Windows Authorization Access Group

  • Read property (tokenGroupsGlobalAndUniversal)

Cert Publishers

  • Read userCertificate

  • Write userCertificate