Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Welcome | Importance | Assets | Top Risks | Mitigation | Audit | Auditing | Checklists | How-Tos | Tools | Guides | Learning | Technicals | Resources


Active Directory Security Permissions

Active Directory permissions specify, govern and control the ability of a security principal to perform a technical operation on the Active Directory object it serves to protect. Active Directory security permissions reside in access control lists, which are a component of security descriptors that protect Active Directory objects.

Active Directory Security Permissions


The Active Directory security model recognizes and enforces eleven Active Directory security permissions

  1. List Child (LC)

  2. List Object(LO)

  3. Read Control(RC)

  4. Read Property (RP)

  5. Write Property (WP)

  6. Create Child(CC)

  7. Delete Child(DC)

  8. Standard Delete (SD)

  9. Delete Tree (DT)

  10. Write DACL (WD)

  11. Write Owner (WO)


  • Note – In addition to these eleven standard Active Directory security permissions, two special types of permissions, known as Extended Rights and Validated Writes control the ability to perform specific Active Directory related operations.


  • The following is a brief description of these eleven standard Active Directory security permissions –


    1. List Child (LC) – In the List Child object visibility mode (default), the List Child permission controls the ability of a security principal to view the child objects of the object (in whose ACL this permissions exists.)

      In the List Object object visibility mode (default), this permission has no effect.


    2. List Object (LO) – In the List Object object visibility mode, the List Object permission controls the ability of a security principal to view the child objects of the object (in whose ACL this permissions exists.) Specifically, in this mode, a security principal can only view a child object if it is granted the List Object permission both on the child object and on the parent object.

      In the List Child object visibility mode, the List Object permission has no effect.


    3. Read Control (RC) – The Read Control permission controls the ability of a security principal to read the Owner, the Primary Group and the Discretionary Access Control List (DACL) fields but not the System Access Control List (SACL) field, of the of the Security Descriptor protecting the object.


    4. Read Property (RP) – The Read Property permission controls the ability of a security principal to read the properties of an object.

      If the ObjectType member of the access control entry (ACE) in which this permission is specified specifies a globally unique identifier (GUID) of a specific Active Directory property, the permission only controls read access to that specific attribute.

      If the ObjectType member of the ACE does not specify a GUID, then the permission controls read access to all the properties of the object.


    5. Write Property (WP) – The Write Property permission controls the ability of a security principal to modify (write to) the properties of an object.

      If the ObjectType member of the ACE in which this permission is specified specifies a GUID of a specific Active Directory property, the permission only controls modify (write) access to that specific attribute.

      If the ObjectType member of the ACE does not specify a GUID, then the permission controls modify (write) access to all the properties of the object.


    6. Create Child (CC) – The Create Child permission controls the ability of a security principal to create child objects under an object.

      If the ObjectType member of the ACE in which this permission is specified specifies a GUID of a specific Active Directory object class, the permission only controls the ability to create child objects of the specified Active Directory class.

      If the ObjectType member of the ACE does not specify a GUID, then the permission controls the ability to create child objects of any Active Directory class, as permissible by the Active Directory Schema's rules.


    7. Delete Child (DC) – The Delete Child permission controls the ability of a security principal to delete a child object directly underneath an object.

      If the ObjectType member of the ACE in which this permission is specified specifies a GUID of a specific Active Directory object class, the permission only controls the ability to delete child objects of the specified Active Directory class.

      If the ObjectType member of the ACE does not specify a GUID, then the permission controls the ability to delete child objects of any Active Directory class.


    8. Standard Delete (SD) – The Standard Delete permission controls the ability of a security principal to delete the Active Directory object in whose DACL the permission resides.


    9. Delete Tree (DT) – The Delete Tree permission controls the ability of a security principal to delete an entire (sub–)tree of objects regardless of the permissions specified on the individual objects in the tree.

      The root of this tree is the object in whose DACL this permission resides.


    10. Write DACL (WD) – The Write DACL permission controls the ability of a security principal to modify the discretionary access control list (DACL) protecting the Active Directory object in whose DACL the permission resides.


    11. Write Owner (WO) – The Write Owner permission controls the ability of a security principal to assume ownership of the Active Directory object in whose DACL the permission resides.



    Active Directory Extended Rights

    While standard operations on objects stored in and protected by Active Directory are governed by standard Active Directory permissions, there are certain operations that have special significance, and require special or extended permissions for their authorization.

    These special or extended permissions govern the ability of a user to perform specific Active Directory operations, or Active Directory based identity and access management operations, and are often referred to as Active Directory Extended Rights.

    The Active Directory security model currently recognizes more than fifty extended rights.


    Active Directory Validated Writes

    Validated writes represent a special type of Active Directory security permissions that facilitates pre-commit validation during write attempts to certain properties on certain Active Directory objects.

    They serve to ensure that the value entered for a property conforms to required semantics, i.e. falls within an acceptable range of values, or undergoes some other special checking that would not be performed for a simple low-level write to the property.

    The Active Directory security model recognizes and enforces three validated writes

    1. Self-Membership

    2. Validated-DNS-Host-Name

    3. Validated-SPN


    In this manner, together, Active Directory security permissions, Active Directory extended rights and Active Directory extended rights, protect Active Directory content.




    Back to Technicals Back to Technicals


    Welcome
    Who We Are What We Do How We Protect You
    Sitemap