Chat now with support
Chat with Support

Active Roles 8.1.3 - Built-in Access Templates Reference Guide

Active Directory – Advanced ATs

To delegate more granular data management permissions for the resources stored in your Active Directory (AD) environment, use the Access Templates (ATs) in the Configuration > Access Templates > Active Directory > Advanced container of the Active Roles Console.

These ATs contain more granular data management tasks for computer objects, contacts, domains, groups, Organizational Units (OUs), printers, shared folders and users.

Table 2: Active Directory – Advanced data management Access Templates

Access Template

Description

Computer Objects – Create

Grants permission to create computer objects.

NOTE: This AT provides no additional permissions.

Computer Objects – Delete

Grants permission to delete computer objects.

NOTE: This AT provides no additional permissions.

Computer Objects – List

Grants permission to list computer objects.

NOTE: This AT provides no additional permissions.

Computer Objects – Read/Write Account Restrictions

Grants permission to view or modify properties that set account restrictions for computer objects (that is, the User-Account-Restrictions property set of computer objects).

For more information on the affected properties, see User-Account-Restrictions property set in the Microsoft Active Directory Schema documentation.

Computer Objects – Read/Write General Information

Grants permission to view or modify the following general information properties of computer objects:

  • Computer name (pre-Windows 2000)
  • DNS name
  • Role
  • Description
  • Flags controlling password, lockout, and computer disable/enable behavior (that is, the User Account Control attribute)

Computer Objects – Read/Write Manager

Grants permission to view or modify the person assigned to the management of the computer resource (that is, the Managed By attribute of the computer).

NOTE: This AT provides no additional permissions.

Computer Objects – Read/Write Personal Information

Grants permission to view or modify the personal information properties of computer objects (that is, the Personal-Information property set of computer objects).

For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.

Computer Objects – Read/Write Public Information

Grants permission to view or modify the public information properties of computer objects (that is, the Public-Information property set of computer objects).

For more information on the affected properties, see Public-Information property set in the Microsoft Active Directory Schema documentation.

Computer Objects - Reset Computer Accounts

Grants permission to reset computer accounts.

NOTE: This AT provides no additional permissions.

Computer Objects - View BitLocker Recovery Keys

Grants the permission to search and view all properties of computer child objects that contain a Full Volume Encryption recovery password in their associated globally unique identifier (GUID).

TIP: Use this AT to delegate the task of retrieving BitLocker recovery keys stored in AD.

Contacts – Create

Grants permission to create contact objects.

NOTE: This AT provides no additional permissions.

Contacts – Delete

Grants permission to delete contact objects.

NOTE: This AT provides no additional permissions.

Contacts – Read Group Membership

Grants permission to view the list of groups to which the contact object belongs.

NOTE: This AT provides no additional permissions.

Contacts – Read/Write Organizational Information

Grants permission to view or modify the following organizational properties of the contact:

  • Job title
  • Department
  • Company
  • Employee ID
  • Manager
  • Office location

Contacts – Read/Write Personal Information

Grants permission to view or modify the personal information properties of contacts (that is, the Personal-Information property set of contacts).

For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.

Contacts – Read/Write Web Information

Grants permission to view or modify the web-related information properties of contacts (that is, the Web-Information property set of contacts).

For more information on the affected properties, see Web-Information property set in the Microsoft Active Directory Schema documentation.

Contacts – Rename

Grants permission to rename contact objects.

NOTE: This AT provides no additional permissions.

Domains – Change PDC

Grants permission to change the role owner of the Primary Domain Controller (PDC) Emulator.

NOTE: This AT provides no additional permissions.

Domains – Delegate Control and Enforce Active Roles Server Policy

Grants permission to apply Active Roles ATs and Policy Objects to domain objects.

NOTE: This AT provides no additional permissions.

Domains – Generate Resultant Set of Policy (Logging)

Grants permission to generate Group Policy Result data for the users and/or computers in a specific domain.

Domains – Generate Resultant Set of Policy (Planning)

Grants permission to generate Group Policy Modeling data for the users and/or computers in a specific domain. Administrators can use Group Policy modeling to troubleshoot Group Policy settings and testing GPOs before deploying them in a live environment.

Domains – List

Grants permission to list domain objects.

NOTE: This AT provides no additional permissions.

Domains – Read/Write General Information

Grants permission to view or modify the following general information properties of domain objects:

  • Domain name (pre-Windows 2000)
  • Description

Domains – Read/Write Manager

Grants permission to view or modify the person assigned to the management of a domain (that is, the Managed By attribute of the domain).

NOTE: This AT provides no additional permissions.

Domains – Read/Write Other Domain Parameters

Grants permission to view or modify properties permitting control to a list of domain attributes (that is, the Domain-Other-Parameters property set of domains).

For more information on the affected properties, see Domain-Other-Parameters property set in the Microsoft Active Directory Schema documentation.

Domains – Read/Write Password & Lockout Policies

Grants permission to view or modify lockout and password expiration related properties on the user accounts of a domain (that is, the Domain-Password property set of domains).

For more information on the affected properties, see Domain-Password property set in the Microsoft Active Directory Schema documentation.

Group Policy Container – Apply Group Policy

Grants the extended right used by the Group Policy engine (that is, the Apply-Group-Policy extended right) to determine if a Group Policy Object (GPO) applies to a user and/or computer.

Groups – Add/Remove Self As Member

Grants permission to enable updating group membership via Self-Membership validated write (that is, allowing users to add or remove their own account from the group).

Groups – Copy

Grants permission to copy groups.

NOTE: This AT provides no additional permissions.

Groups – Create

Grants permission to create groups.

NOTE: This AT provides no additional permissions.

Groups – Delete

Grants permission to delete groups.

NOTE: This AT provides no additional permissions.

Groups - Deprovision

Grants permission to deprovision groups.

NOTE: This AT provides no additional permissions.

Groups – List

Grants permission to list groups.

NOTE: This AT provides no additional permissions.

Groups – Manage Membership Rules

Grants permission to view or modify the criteria of rule-based group membership assignments within Active Roles.

NOTE: This AT provides no additional permissions.

Groups – Read Group Membership

Grants permission to view the list of groups to which a specific group belongs.

NOTE: This AT provides no additional permissions.

Groups – Read/Write E-mail Address

Grants permission to view or modify the list of email addresses for a group.

Groups – Read/Write General Information

Grants permission to view or modify the following general information properties of groups:

  • Group name (pre-Windows 2000)
  • Description
  • E-mail
  • Group scope
  • Group type
  • Notes

Groups – Read/Write Group Members

Grants permission to add or remove members to or from a group.

Groups – Read/Write Group Type and Scope

Grants permission to view or modify the type and scope settings of a group.

NOTE: This AT provides no additional permissions.

Groups – Read/Write Manager

Grants permission to view or modify the person assigned to manage a specific group (that is, the Managed By attribute of the group).

Groups – Read/Write Phone and Mail Options

Grants permission to view or modify the email-related information properties of a group (that is, the Email-Information property set of group objects).

For more information on the affected properties, see Email-Information property set in the Microsoft Active Directory Schema documentation.

Groups – Rename

Grants permission to rename groups.

NOTE: This AT provides no additional permissions.

Groups - Undo Deprovision

Grants permission to restore (that is, perform the Undo Deprovision action) on groups.

NOTE: This AT provides no additional permissions.

Groups - Undo Deprovision - Deny

Grants permission to deny the restoration of group objects (that is, performing the Undo Deprovision action on them).

Objects - Deny Deletion

Grants permission to deny the deletion and sub-tree deletion of a specific object.

NOTE: This AT provides no additional permissions.

Objects - Deny Deletion of Child Objects

Grants permission to deny deleting all child objects from a specific AD container.

NOTE: This AT provides no additional permissions.

OUs – Create

Grants permission to create Organizational Units (OUs).

NOTE: This AT provides no additional permissions.

OUs – Delegate Control and Enforce Active Roles Server Policy

Grants permission to apply Active Roles ATs and Policy Objects to an OU.

NOTE: This AT provides no additional permissions.

OUs – Delete

Grants permission to delete OUs.

NOTE: This AT provides no additional permissions.

OUs – Generate Resultant Set of Policy (Logging)

Grants permission to generate Group Policy Results data for the users and computers within the specific OU.

OUs – Generate Resultant Set of Policy (Planning)

Grants permission to generate Group Policy Modeling data for the users and computers within the specific OU.

OUs – List

Grants permission to list OUs.

NOTE: This AT provides no additional permissions.

OUs – Read/Write General Information

Grants permission to view or modify the following general information properties of OUs:

  • Description
  • Street
  • City
  • State/province
  • Zip/Postal Code
  • Country/region

OUs – Read/Write Manager

Grants permission to view or modify the person assigned to manage a specific OU (that is, the Managed By attribute of the OU).

OUs – Rename

Grants permission to rename OUs.

NOTE: This AT provides no additional permissions.

Printer Objects – Create

Grants permission to create printer queue objects.

NOTE: This AT provides no additional permissions.

Printer Objects – Delete

Grants permission to delete printer queue objects.

NOTE: This AT provides no additional permissions.

Printer Objects – List

Grants permission to list printer queue objects.

NOTE: This AT provides no additional permissions.

Printer Objects – Read/Write General Information

Grants permission to view or modify the following general information properties of printer queue objects:

  • Location
  • Model
  • Description
  • Color
  • Staple
  • Double-sided
  • Printing speed
  • Maximum resolution

Printer Objects – Read/Write Manager

Grants permission to view or modify the person assigned to manage a specific printer (that is, the Managed By attribute of the printer).

Printer Objects – Rename

Grants permission to rename printer queue objects.

NOTE: This AT provides no additional permissions.

Shared Folders – Create

Grants permission to create shared folder objects.

NOTE: This AT provides no additional permissions.

Shared Folders – Delete

Grants permission to delete shared folder objects.

NOTE: This AT provides no additional permissions.

Shared Folders – List

Grants permission to list shared folder objects.

NOTE: This AT provides no additional permissions.

Shared Folders – Read/Write General Information

Grants permission to view or modify the following general information properties of shared folders:

  • Description
  • UNC name

Shared Folders – Read/Write Manager

Grants permission to view or modify the person assigned to manage a specific shared folder (that is, the Managed By attribute of the shared folder).

Shared Folders – Rename

Grants permission to rename shared folder objects.

NOTE: This AT provides no additional permissions.

Users - Assign/Remove Digital Certificates

Grants permission to assign or remove digital (X.509) certificates to or from AD users ( that is, read or write the userCertificate attribute of user objects).

Users - Change Password (Extended Right)

Grants permission to change the password of users (that is, grants the User-Change-Password extended right).

Users - Copy

Grants the permission to copy user objects.

NOTE: This AT provides no additional permissions.

Users - Create

Grants permission to create user objects.

NOTE: This AT provides no additional permissions.

Users - Delete

Grants permission to delete user objects.

NOTE: This AT provides no additional permissions.

Users - Deprovision

Grants permission to deprovision user objects.

NOTE: This AT provides no additional permissions.

Users - Enable/Disable Account

Grants permission to enable or disable user objects.

NOTE: This AT provides no additional permissions.

Users - List

Grants permission to list user objects.

NOTE: This AT provides no additional permissions.

Users - Read Group Membership

Grants permission to view the list of groups the selected user is a member of.

NOTE: This AT provides no additional permissions.

Users - Read/Write Account Information

Grants permission to view or modify the following account information properties of user objects:

  • User logon name
  • User logon name (pre-Windows 2000)
  • Logon Hours
  • Last Logon
  • Account is locked out
  • Account options
  • Account expires

Users - Read/Write Account Restrictions

Grants permission to view or modify the account restriction properties of user objects (that is, the User-Account-Restrictions property set of user objects).

For more information on the affected properties, see User-Account-Restrictions property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Dial-In Properties

Grants permission to view or modify the following dial-in specific properties of user objects:

  • Remote Access Permission (Dial-in or VPN)
  • Verify Caller-ID
  • Callback Options
  • Assign a Static IP Address
  • Apply Static Routes Settings

Users - Read/Write General Information

Grants permission to view or modify the general information properties of user objects (that is, the General-Information property set of user objects).

For more information on the affected properties, see General-Information property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Logon Information

Grants permission to view or modify the logon information properties of user objects (that is, the User-Logon property set of user objects).

For more information on the affected properties, see User-Logon property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Organizational Information

Grants permission to view or modify the following organization-related properties of user objects:

  • Title
  • Department
  • Company
  • Manager
  • Direct reports
  • Office (General tab)

Users - Read/Write Personal Information

Grants permission to view or modify the personal information properties of user objects (that is, the Personal-Information property set of user objects).

For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Phone and Mail Options

Grants permission to view or modify the email-related information properties of user objects (that is, the Email-Information property set of user objects).

For more information on the affected properties, see Email-Information property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Profile Properties

Grants permission to view or modify the following profile-related properties of user objects:

  • User profile
  • Home folder

Users - Read/Write Public Information

Grants permission to view or modify the public information properties of user objects (that is, the Public-Information property set of user objects).

For more information on the affected properties, see Public-Information property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write Web Information

Grants permission to view or modify the web-related information properties of user objects (that is, the Web-Information property set of user objects).

For more information on the affected properties, see Web-Information property set in the Microsoft Active Directory Schema documentation.

Users - Read/Write WTS Properties

Grants permission to view or modify the following user object properties describing Terminal Services-related information:

  • Terminal Services user profile
  • Terminal Services home folder
  • Allow login to the terminal server
  • Starting program
  • Client devices
  • Terminal Service timeout and reconnection settings

Users - Rename

Grants permission to rename user objects.

NOTE: This AT provides no additional permissions.

Users - Reset Password (Extended Right)

Grants permission to reset the password of user objects (that is, grants the User-Reset-Password extended right).

NOTE: This AT provides no additional permissions.

Users - Run Check Policy (Extended Right)

Grants permission to use the Check Policy action on user objects.

NOTE: This AT provides no additional permissions.

Users - Undo Deprovision

Grants permission to restore user objects (that is, performing the Undo Deprovision action on them).

Users - Undo Deprovision - Deny

Grants permission to deny the restoration of user objects (that is, performing the Undo Deprovision action on them).

Users - Unlock Account

Grants permission to unlock user objects that get locked due to reaching the limit of failed login attempts set in your organization.

Users - View Change History (Extended Right)

Grants permission to use the Change History and User Activity actions on user objects.

Users - View Delegated Rights (Extended Right)

Grants permission to use the Delegated Rights action on user objects.

Users - View Digital Certificates

Grants permission to view the digital (X.509) certificates assigned to the AD user (that is, the permission to read the userCertificate attribute of user objects).

Users - View Entitlement Profile (Extended Right)

Grants permission to use the Entitlement Profile action on user objects to view the resources to which the selected user object is entitled.

Users - Write Password

Grants permission to set the password of user objects.

NOTE: This AT provides no additional permissions.

Active Directory – Best Practices ATs

To delegate permissions for performing the most typical service management roles in your Active Directory environment, use the Access Templates (ATs) in the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration container of the Active Roles Console.

The ATs that are available in this container are grouped into additional sub-containers, in accordance with the operator, administrator or manager roles that they are recommended to be used with.

  • For more information about these best practices, their security sensitivity and impact, see the Microsoft Windows Server documentation.

  • For more information on how to configure these ATs within the Active Roles Console, see the Description of the applicable AT.

Active Directory – DNS Admins Role ATs

To delegate Microsoft Domain Name Server (DNS) management duties to administrators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > DNS Admins Role container of the Active Roles Console.

Table 3: Active Directory – Best Practices for Delegating Active Directory Administration: DNS Admins Role Access Templates

Access Template

Description

DNS Admins - Microsoft DNS Management

Grants permission to perform management tasks on the Microsoft DNS servers within your organization.

To delegate this AT, apply it on the following resources of your Active Directory tree in the Active Roles Console:

  1. <forest-root-domain> > ForestDnsZones > MicrosoftDNS

  2. <domain> > System > MicrosoftDNS

  3. <domain> > DomainDnsZones > MicrosoftDNS

IMPORTANT: When configuring this AT, always select the Propagate permissions to Active Directory option in the Permissions Propagation step of the Delegation of Control Wizard.

Figure 2: Delegation of Control Wizard – Permissions propagation

For more information on how to configure ATs for resource objects in your organization with the Active Roles Console, see Applying Access Templates in the Active Roles Administration Guide.

Active Directory – Domain Configuration Operators Role ATs

To delegate domain configuration duties to operators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Domain Configuration Operators Role container of the Active Roles Console.

Domain configuration operators typically perform the following duties in an Active Directory (AD) organization:

  • Create or remove replicas, that is, additional Domain Controllers (DC).

  • Designate or dismiss a DC as a global catalog.

  • Protect and manage the Organizational Unit (OU) of the default DC.

  • Protect and manage the content stored in the <domain> > System container.

  • Raise the domain functional level.

  • Rename DCs.

  • Restore the AD environment from backups.

  • Transfer or seize the Relative Identifier (RID) master role.

  • Transfer or seize the Primary Domain Controller (PDC) emulator master role.

  • Transfer or seize the infrastructure master role.

Table 4: Active Directory – Best Practices for Delegating Active Directory Administration: Domain Configuration Operators Role Access Templates

Access Template

Description

Domain Configuration Operators - Domain Controllers OU Management

Grants full permission to domain configuration, applied to all classes.

To delegate this AT, select the trustee(s), then apply it to the Domain Controllers container of your AD environment:

<domain> > Domain Controllers

Domain Configuration Operators - Domain Management

Grants the following permissions, applied to all classes:

  • Add or remove replicas in the domain.

  • Modify the infrastructure master.

  • Modify the PDC.

  • Write the fSMORoleOwner attribute.

  • Write the msDS-Behavior-Version attribute.

To delegate this AT, select the trustee(s), then apply it on the root domain of your AD environment.

Domain Configuration Operators - Full Control for "Creator Owner"

Grants full permission in a Creator Owner role, applied to all classes.

To delegate this AT, select the trustee(s) you want to assign as Creator Owner(s), then apply the AT to the site configuration container:

<forest-root-domain> > Configuration > Sites

Domain Configuration Operators - Full Control on Computer Object

Grants full permission to perform domain configuration tasks on all computer objects.

To delegate this AT, select the trustee(s), then apply the AT on the computer object that will be promoted to Domain Controller (DC).

Domain Configuration Operators - Infrastructure Master Management

Grants the following permissions, applied to all classes:

  • Write the fSMORoleOwner attribute.

  • Modify the infrastructure master.

To delegate this AT, select the trustee(s), then apply the AT to the AD infrastructure container:

<domain> > Infrastructure

Domain Configuration Operators - Replication Management

Grants the following domain-level configuration permissions:

  • Manage the replication topology, applied to all classes.
  • Replicate directory changes, applied to all classes
  • Monitor AD replication, applied to the Directory Management Domain (DMD).
  • Replicate all directory changes, applied to the DMD.

To delegate this AT, select the trustee(s), then apply the AT to the following AD containers:

  • <domain>

  • <forest-root-domain> > Configuration

NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container:

<forest-root-domain> > Configuration > Schema

To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.

Domain Configuration Operators - RID Master Management

Grants the following permissions, applied to all classes:

  • Modify the RID master.

  • Write the fSMORoleOwner attribute.

To delegate this AT, select the trustee(s), then apply the AT to the AD RID manager container:

<domain> > System > RID Managers

Domain Configuration Operators - Server Object Creation

Grants permission to create all server child objects in the domain, applied to all classes.

To delegate this AT, select the trustee(s), then apply the AT to the AD server configuration container:

<forest-root-domain> > Configuration > Sites > <site> > Servers

Domain Configuration Operators - Site Objects - Read All Properties

Grants permission to read all site objects in the domain, applied to all classes.

To delegate this AT, select the trustee(s), then apply the AT to the AD site configuration container:

<forest-root-domain> > Configuration > Sites

Domain Configuration Operators - System Container Management

Grants full permission to manage the AD System container, applied to all classes.

To delegate this AT, select the trustee(s), then apply the AT to the AD system container of your domain:

<domain> > System

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating