You can use Access Templates in this category to delegate management tasks on the content that is stored in Active Directory. The data management tasks include, but are not limited to, managing user objects (users), computer objects (computers), and groups.
Access Template |
Description |
All Objects - Full Control |
Perform any administrative operation on any object in Active Directory. This Access Template allows data owners to delegate control of Active Directory objects to data administrators who are responsible for carrying out all tasks required to manage the Active Directory contents. |
All Objects - Read All Properties |
List directory objects and view all properties of any object in Active Directory. |
All Objects - View or Restore Deleted Objects |
Apply this template to a container to allow viewing and restoring Active Directory objects that were deleted from that container. |
Claim Types - Full Control |
Create new claim types; perform all administrative operations on existing claim types. Claim types determine the claims to be issued for an Active Directory security principal upon its authentication. Claim types are used to define permissions when authoring claim-based access rules. |
Claim Types - Modify All Properties |
View or change all claim type properties. |
Claim Types - Read All Properties |
List claim types; view all claim type properties. |
Computers - Create Computer Accounts |
Create new computer accounts; view all properties of computer accounts. |
Computers - Full Control |
Create new computer accounts; perform all administrative tasks on existing computer accounts. |
Computers - Modify All Properties |
View or change all properties of computer accounts. |
Computers - Move Computer Accounts |
Move computer accounts; view all properties of computer accounts. |
Computers - Read All Properties |
List computer accounts. View all properties of computer accounts. |
Computer - Reset Computer Accounts |
Reset computer accounts; view all properties of computer accounts. |
Contacts - Create Contacts |
Create new contacts, view all properties of contacts. |
Contacts - Full Control |
Create new contacts; perform all administrative operations on existing contacts. |
Contacts - Modify All Properties |
View and modify all properties of contacts. |
Contacts - Modify Picture |
View or change the image of the contact (the thumbnailPhoto attribute of the contact object). View all properties of the contact object in the directory. |
Contacts - Read All Properties |
List contacts, view all properties of contacts. |
Domains - Read All Properties |
List domain objects; view all properties of domain objects. |
gMSA - Full Control |
Create new group Managed Service Accounts; perform all administrative operations on existing group Managed Service Accounts. |
gMSA - Modify All Properties |
View or change all properties of group Managed Service Accounts. |
gMSA - Modify Membership Policy |
View or change the list of computers and computer groups allowed to use a given group Managed Service Account. |
gMSA - Read All Properties |
List group Managed Service Accounts; view all properties of group Managed Service Accounts. |
Groups - Add/Remove Members |
View and modify lists of group members. |
Groups - Create Groups |
Create new groups, view all properties of groups. |
Groups - Full Control |
Create new groups; perform all administrative operations on existing groups. |
Groups - Manage Dynamic Groups |
Configure rules-based management of group membership lists; view all properties of groups; list groups in containers; list containers. |
Groups - Modify All Properties |
View and modify all properties of groups. |
Groups - Modify Picture |
View or change the image of the group (the thumbnailPhoto attribute of the group object). View all properties of the group object in the directory. |
Groups - Perform Deprovision Tasks |
Deprovision groups; view all properties of groups. This template is intended to delegate the use of the Deprovision command on groups without requiring the delegation of the create/delete operation. |
Groups - Perform Undo Deprovision Tasks |
Restore (un-deprovision) groups; view all properties of groups. This template is intended to delegate the use of the Undo Deprovisioning command on groups. |
Groups - Read all Properties |
List groups, view all properties of groups. |
OUs - Create OUs |
Create new Organizational Units; view all properties of Organizational Units. |
OUs - Full Control |
Create new Organizational Units; perform all administrative operations on existing Organizational Units. |
OUs - Modify All Properties |
View and modify all properties of Organizational Units. |
OUs - Read All Properties |
List Organizational Units; view all properties of Organizational Units. |
Printers - Full Control |
Create new printer queue objects; perform all administrative operations on existing printer queue objects. |
Printers - Modify All Properties |
View and modify all properties of printer queue objects. |
Printers - Read All Properties |
List printer queue objects; view all properties of printer queue objects. |
Shared Folders - Full Control |
Create new shared folder objects; perform all administrative operations on existing shared folder objects. |
Shared Folders - Modify All Attributes |
View and modify all properties of shared folder objects. |
Shared Folders - Read All Properties |
List shared folder objects; view all properties of shared folder objects. |
Users - Create User Accounts |
Create new user accounts; view all properties of user accounts. |
Users - Delete User Accounts |
Delete user accounts; view all properties of user accounts. |
Users - Perform Deprovision Tasks |
Deprovision user accounts and other user-related resources; view all properties of user accounts. This template is intended to delegate the use of the Deprovision command on user accounts without requiring the delegation of the create/delete operation. |
Users - Perform Undo Deprovision Tasks |
Restore (un-deprovision) user accounts; view all properties of user accounts. This template is intended to delegate the use of the Undo Deprovisioning command on user accounts. |
Users - Full Control |
Create new user accounts; perform all administrative operations on existing user accounts. |
Users - Help Desk |
Reset user passwords, unlock user accounts, assign or remove digital (X.509) certificates from user accounts, and view all properties of user accounts. Recommended for implementing Help Desk. Data owners can use this Access Template to delegate day-to-day operations to the Help Desk service. |
Users - Modify All Properties |
View and modify all properties of user accounts. |
Users - Modify Personal Data |
Manage a basic set of HR-related properties in user accounts. |
Users - Modify Picture |
View or change the image of the user (the thumbnailPhoto attribute of the user account). View all properties of the user account in the directory. |
Users - Move User Accounts |
Move user accounts; view all properties of user accounts. |
Users - Pager & Cell Phone Numbers |
View and modify mobile phone and pager numbers in user accounts, view all properties of user accounts. |
Users - Phone Number & Address |
Modify the address settings and telephone numbers in user accounts; view all properties of user accounts. |
Users - Read All Properties |
List user accounts; view all properties of user accounts. |
Users and Groups - Basic Management |
List groups and user accounts, add/remove them into/from groups, reset user passwords, view and modify logon-related properties of user accounts. |
Access Template |
Description |
Computer Objects – Create |
Create computer objects; no other permissions are included. |
Computer Objects – Delete |
Delete computer objects; no other permissions are included. |
Computer Objects – List |
List computer objects; no other permissions are included. |
Computer Objects – Read/Write Account Restrictions |
View and modify properties that describe account restrictions for computer objects (User-Account-Restrictions property set); no other permissions are included. Property set members: See “User-Account-Restrictions Property Set” at http://msdn.microsoft.com/en-us/library/ms684412.aspx |
Computer Objects – Read/Write General Information |
View and modify properties that constitute general information for computer objects:
No other permissions are included. |
Computer Objects – Read/Write Manager |
View and modify what person is assigned to manage a computer (Managed-By attribute); no other permissions are included. |
Computer Objects – Read/Write Personal Information |
View and modify properties that describe personal information for computer objects (Personal-Information property set); no other permissions are included. Property set members: See “Personal-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684394.aspx |
Computer Objects – Read/Write Public Information |
View and modify properties that describe public information for computer objects (Public-Information property set); no other permissions are included. Property set members: See “Public-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684396.aspx |
Computer Objects - Reset Computer Account |
Reset computer accounts; no other permissions are included. |
Computer Objects - View BitLocker Recovery Keys |
Search for, and view all properties of, computer child objects each of which contains a Full Volume Encryption recovery password with its associated GUID. Use this template to delegate the task of retrieving BitLocker recovery keys that are stored in Active Directory. |
Access Template |
Description |
Contacts – Create |
Create contact objects; no other permissions are included. |
Contacts – Delete |
Delete contact objects; no other permissions are included. |
Contacts – Read Group Membership |
View a list of groups to which a contact object belongs; no other permissions are included. |
Contacts – Read/Write Organizational Information |
View and modify properties that describe organizational information for contact objects:
No other permissions are included. |
Contacts – Read/Write Personal Information |
View and modify properties that describe personal information for contact objects (Personal-Information property set); no other permissions are included. Property set members: See “Personal-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684394.aspx |
Contacts – Read/Write Web Information |
View and modify properties that describe Web-related information for contact objects (Web-Information property set); no other permissions are included. Property set members: See “Web-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684418.aspx |
Contacts – Rename |
Rename contact objects; no other permissions are included. |
Access Template |
Description |
Domains – Change PDC |
Change the PDC emulator role owner; no other permissions are included. |
Domains – Delegate Control and Enforce Active Roles Policy |
Apply Active Roles Access Templates and Policy Objects to a domain object; no other permissions are included. |
Domains – Generate Resultant Set of Policy (Logging) |
Generate Group Policy Results data for the users/computers within a given domain; no other permissions are included. |
Domains – Generate Resultant Set of Policy (Planning) |
Generate Group Policy Modeling data for the users/computers within a given domain; no other permissions are included. |
Domains – List |
List domain objects; no other permissions are included. |
Domains – Read/Write General Information |
View and modify properties that constitute general information for domain objects:
No other permissions are included. |
Domains – Read/Write Manager |
View and modify what person is assigned to manage a domain (Managed-By attribute); no other permissions are included. |
Domains – Read/Write Other Domain Parameters |
View and modify properties that permit control to a list of domain attributes (Domain-Other-Parameters property set); no other permissions are included. Property set members: See “Domain-Other-Parameters Property Set” at http://msdn.microsoft.com/en-us/library/ms684338.aspx |
Domains – Read/Write Password & Lockout Policies |
View and modify lockout and password age related properties on the domain user accounts (Domain-Password property set); no other permissions are included. Property set members: See “Domain-Password Property Set” at http://msdn.microsoft.com/en-us/library/ms684341.aspx |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy