Appendix C: Default Permissions for a Computer Object
The default permissions for an Active Directory Computer object in Windows Server 2003 are:
Account operators
- Full control
Domain administrators
- Full control
System
- Full control
Authenticated users
- Read, Read Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information
- Special: List contents, Read All Properties, Read Permissions
Creator owner
- Read, Allowed to authenticate, Change Password, Receive As, Reset Password, Send As, Validated write to DNS host name, Validated write to service principal name, Read Account Restrictions, Write Account Restrictions, Read DNS Host Name Attributes, Read Personal Information, Read Public Information
- Special: List contents, Read All properties, Delete, Delete Subtree, Read Permissions, All Extended rights, Allowed to authenticate, change password, receive as, reset password, Send As
- Write Account Restrictions
- Validated Write to DNS host name
- Validated Write to service principal name
- Write computer name (pre-Windows 2000)
- Write description
Everyone
- Change password
Print operator
- Create/Delete printer objects
Self
- Create All Child Objects
- Delete All Child Objects
- Various other
applicationVersion
and property objects - Validated write to service principal name
- Read/write personal information
- Validated write to DNS host name
Windows Authorization Access Group
- Read property (tokenGroupsGlobalAndUniversal)
Cert Publishers
- Read userCertificate
- Write userCertificate