Share via

3.1.1.4.4 Extended Access Checks

  • Article

Some attributes require different access than that specified in the previous section.

The security context of the requester MUST be granted the indicated rights on OA by O!nTSecurityDescriptor unless otherwise specified. If not granted, then the value is treated as "does not exist" in the returned attributes and the LDAP filter.

OA

Requires right(s)

nTSecurityDescriptor

(ACCESS_SYSTEM_SECURITY)

and (RIGHT_READ_CONTROL)

msDS-QuotaEffective

(RIGHT_DS_READ_PROPERTY on the Quotas container, described in section 6.1.1.4.3)

or ((the client is querying the quota for the security principal it is authenticated as)

and (DS-Query-Self-Quota control access right on the Quotas container))

msDS-QuotaUsed

(RIGHT_DS_READ_PROPERTY on the Quotas container, described in section 6.1.1.4.3)

or ((the client is querying the quota for the security principal it is authenticated as)

and (DS-Query-Self-Quota control access right on the Quotas container))

userPassword

When the fUserPwdSupport heuristic in the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is FALSE, the requester MUST be granted RIGHT_DS_READ_PROPERTY. When fUserPwdSupport is TRUE, access is never granted.

pekList

Access is never granted

currentValue

Access is never granted

dBCSPwd

Access is never granted

unicodePwd

Access is never granted

ntPwdHistory

Access is never granted

priorValue

Access is never granted

supplementalCredentials

Access is never granted

trustAuthIncoming

Access is never granted

trustAuthOutgoing

Access is never granted

lmPwdHistory

Access is never granted

initialAuthIncoming

Access is never granted

initialAuthOutgoing

Access is never granted

msDS-ExecuteScriptPassword

Access is never granted

Attribute whose attributeSchema has CF (fCONFIDENTIAL, 0x0x00000080) set in searchFlags.

(RIGHT_DS_READ_PROPERTY)

and (RIGHT_DS_CONTROL_ACCESS)

sDRightsEffective

See section 3.1.1.4.5.4

allowedChildClassesEffective

See section 3.1.1.4.5.5

allowedAttributesEffective

See section 3.1.1.4.5.7

msDS-Approx-Immed-Subordinates

See section 3.1.1.4.5.15

msDS-QuotaEffective

See section 3.1.1.4.5.22

msDS-ReplAttributeMetaData

msDS-ReplValueMetaData

The security context of the requester MUST be granted the following rights on the replPropertyMetaData attribute:

(RIGHT_DS_READ_PROPERTY)

or (DS-Replication-Manage-Topology by ON!nTSecurityDescriptor)

msDS-NCReplInboundNeighbors

The security context of the requester MUST be granted the following rights on repsFrom:

(RIGHT_DS_READ_PROPERTY)

or (DS-Replication-Manage-Topology)

or (DS-Replication-Monitor-Topology)

msDS-NCReplOutboundNeighbors

The security context of the requester MUST be granted the following rights on repsTo:

(RIGHT_DS_READ_PROPERTY)

or (DS-Replication-Manage-Topology)

or (DS-Replication-Monitor-Topology)

msDS-NCReplCursors

The security context of the requester MUST be granted the following rights on replUpToDateVector:

(RIGHT_DS_READ_PROPERTY)

or (DS-Replication-Manage-Topology)

or (DS-Replication-Monitor-Topology)

msDS-IsUserCachableAtRodc

 The security context of the requester MUST be granted the Read-Only-Replication-Secret-Synchronization control access right on the root of the default NC.

msDS-ManagedPassword

The security context of the requester MUST be granted the RIGHT_DS_READ_PROPERTY control access right on the security descriptor in the msDS-GroupMSAMembership attribute.

Attribute whose attributeSchema has SE (fPARTITIONSECRET, 0x0x00001000) set in searchFlags.

(RIGHT_DS_READ_PROPERTY) MUST be granted on the object, and the DS-Read-Partition-Secrets control access right MUST be granted on the object that is the root of the naming context to which the object belongs.