Active Roles 8.1.2 - Built-in Access Templates Reference Guide

To delegate more granular data management permissions for the resources stored in your Active Directory (AD) environment, use the Access Templates (ATs) in the Configuration > Access Templates > Active Directory > Advanced container of the Active Roles Console.

These ATs contain more granular data management tasks for computer objects, contacts, domains, groups, Organizational Units (OUs), printers, shared folders and users.

Table 2: Active Directory – Advanced data management Access Templates
Access Template	Description
Computer Objects – Create	Grants permission to create computer objects. NOTE: This AT provides no additional permissions.
Computer Objects – Delete	Grants permission to delete computer objects. NOTE: This AT provides no additional permissions.
Computer Objects – List	Grants permission to list computer objects. NOTE: This AT provides no additional permissions.
Computer Objects – Read/Write Account Restrictions	Grants permission to view or modify properties that set account restrictions for computer objects (that is, the User-Account-Restrictions property set of computer objects). For more information on the affected properties, see User-Account-Restrictions property set in the Microsoft Active Directory Schema documentation.
Computer Objects – Read/Write General Information	Grants permission to view or modify the following general information properties of computer objects: Computer name (pre-Windows 2000) DNS name Role Description Flags controlling password, lockout, and computer disable/enable behavior (that is, the User Account Control attribute)
Computer Objects – Read/Write Manager	Grants permission to view or modify the person assigned to the management of the computer resource (that is, the Managed By attribute of the computer). NOTE: This AT provides no additional permissions.
Computer Objects – Read/Write Personal Information	Grants permission to view or modify the personal information properties of computer objects (that is, the Personal-Information property set of computer objects). For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.
Computer Objects – Read/Write Public Information	Grants permission to view or modify the public information properties of computer objects (that is, the Public-Information property set of computer objects). For more information on the affected properties, see Public-Information property set in the Microsoft Active Directory Schema documentation.
Computer Objects - Reset Computer Accounts	Grants permission to reset computer accounts. NOTE: This AT provides no additional permissions.
Computer Objects - View BitLocker Recovery Keys	Grants the permission to search and view all properties of computer child objects that contain a Full Volume Encryption recovery password in their associated globally unique identifier (GUID). TIP: Use this AT to delegate the task of retrieving BitLocker recovery keys stored in AD.
Contacts – Create	Grants permission to create contact objects. NOTE: This AT provides no additional permissions.
Contacts – Delete	Grants permission to delete contact objects. NOTE: This AT provides no additional permissions.
Contacts – Read Group Membership	Grants permission to view the list of groups to which the contact object belongs. NOTE: This AT provides no additional permissions.
Contacts – Read/Write Organizational Information	Grants permission to view or modify the following organizational properties of the contact: Job title Department Company Employee ID Manager Office location
Contacts – Read/Write Personal Information	Grants permission to view or modify the personal information properties of contacts (that is, the Personal-Information property set of contacts). For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.
Contacts – Read/Write Web Information	Grants permission to view or modify the web-related information properties of contacts (that is, the Web-Information property set of contacts). For more information on the affected properties, see Web-Information property set in the Microsoft Active Directory Schema documentation.
Contacts – Rename	Grants permission to rename contact objects. NOTE: This AT provides no additional permissions.
Domains – Change PDC	Grants permission to change the role owner of the Primary Domain Controller (PDC) Emulator. NOTE: This AT provides no additional permissions.
Domains – Delegate Control and Enforce Active Roles Server Policy	Grants permission to apply Active Roles ATs and Policy Objects to domain objects. NOTE: This AT provides no additional permissions.
Domains – Generate Resultant Set of Policy (Logging)	Grants permission to generate Group Policy Result data for the users and/or computers in a specific domain.
Domains – Generate Resultant Set of Policy (Planning)	Grants permission to generate Group Policy Modeling data for the users and/or computers in a specific domain. Administrators can use Group Policy modeling to troubleshoot Group Policy settings and testing GPOs before deploying them in a live environment.
Domains – List	Grants permission to list domain objects. NOTE: This AT provides no additional permissions.
Domains – Read/Write General Information	Grants permission to view or modify the following general information properties of domain objects: Domain name (pre-Windows 2000) Description
Domains – Read/Write Manager	Grants permission to view or modify the person assigned to the management of a domain (that is, the Managed By attribute of the domain). NOTE: This AT provides no additional permissions.
Domains – Read/Write Other Domain Parameters	Grants permission to view or modify properties permitting control to a list of domain attributes (that is, the Domain-Other-Parameters property set of domains). For more information on the affected properties, see Domain-Other-Parameters property set in the Microsoft Active Directory Schema documentation.
Domains – Read/Write Password & Lockout Policies	Grants permission to view or modify lockout and password expiration related properties on the user accounts of a domain (that is, the Domain-Password property set of domains). For more information on the affected properties, see Domain-Password property set in the Microsoft Active Directory Schema documentation.
Group Policy Container – Apply Group Policy	Grants the extended right used by the Group Policy engine (that is, the Apply-Group-Policy extended right) to determine if a Group Policy Object (GPO) applies to a user and/or computer.
Groups – Add/Remove Self As Member	Grants permission to enable updating group membership via Self-Membership validated write (that is, allowing users to add or remove their own account from the group).
Groups – Copy	Grants permission to copy groups. NOTE: This AT provides no additional permissions.
Groups – Create	Grants permission to create groups. NOTE: This AT provides no additional permissions.
Groups – Delete	Grants permission to delete groups. NOTE: This AT provides no additional permissions.
Groups - Deprovision	Grants permission to deprovision groups. NOTE: This AT provides no additional permissions.
Groups – List	Grants permission to list groups. NOTE: This AT provides no additional permissions.
Groups – Manage Membership Rules	Grants permission to view or modify the criteria of rule-based group membership assignments within Active Roles. NOTE: This AT provides no additional permissions.
Groups – Read Group Membership	Grants permission to view the list of groups to which a specific group belongs. NOTE: This AT provides no additional permissions.
Groups – Read/Write E-mail Address	Grants permission to view or modify the list of email addresses for a group.
Groups – Read/Write General Information	Grants permission to view or modify the following general information properties of groups: Group name (pre-Windows 2000) Description E-mail Group scope Group type Notes
Groups – Read/Write Group Members	Grants permission to add or remove members to or from a group.
Groups – Read/Write Group Type and Scope	Grants permission to view or modify the type and scope settings of a group. NOTE: This AT provides no additional permissions.
Groups – Read/Write Manager	Grants permission to view or modify the person assigned to manage a specific group (that is, the Managed By attribute of the group).
Groups – Read/Write Phone and Mail Options	Grants permission to view or modify the email-related information properties of a group (that is, the Email-Information property set of group objects). For more information on the affected properties, see Email-Information property set in the Microsoft Active Directory Schema documentation.
Groups – Rename	Grants permission to rename groups. NOTE: This AT provides no additional permissions.
Groups - Undo Deprovision	Grants permission to restore (that is, perform the Undo Deprovision action) on groups. NOTE: This AT provides no additional permissions.
Groups - Undo Deprovision - Deny	Grants permission to deny the restoration of group objects (that is, performing the Undo Deprovision action on them).
Objects - Deny Deletion	Grants permission to deny the deletion and sub-tree deletion of a specific object. NOTE: This AT provides no additional permissions.
Objects - Deny Deletion of Child Objects	Grants permission to deny deleting all child objects from a specific AD container. NOTE: This AT provides no additional permissions.
OUs – Create	Grants permission to create Organizational Units (OUs). NOTE: This AT provides no additional permissions.
OUs – Delegate Control and Enforce Active Roles Server Policy	Grants permission to apply Active Roles ATs and Policy Objects to an OU. NOTE: This AT provides no additional permissions.
OUs – Delete	Grants permission to delete OUs. NOTE: This AT provides no additional permissions.
OUs – Generate Resultant Set of Policy (Logging)	Grants permission to generate Group Policy Results data for the users and computers within the specific OU.
OUs – Generate Resultant Set of Policy (Planning)	Grants permission to generate Group Policy Modeling data for the users and computers within the specific OU.
OUs – List	Grants permission to list OUs. NOTE: This AT provides no additional permissions.
OUs – Read/Write General Information	Grants permission to view or modify the following general information properties of OUs: Description Street City State/province Zip/Postal Code Country/region
OUs – Read/Write Manager	Grants permission to view or modify the person assigned to manage a specific OU (that is, the Managed By attribute of the OU).
OUs – Rename	Grants permission to rename OUs. NOTE: This AT provides no additional permissions.
Printer Objects – Create	Grants permission to create printer queue objects. NOTE: This AT provides no additional permissions.
Printer Objects – Delete	Grants permission to delete printer queue objects. NOTE: This AT provides no additional permissions.
Printer Objects – List	Grants permission to list printer queue objects. NOTE: This AT provides no additional permissions.
Printer Objects – Read/Write General Information	Grants permission to view or modify the following general information properties of printer queue objects: Location Model Description Color Staple Double-sided Printing speed Maximum resolution
Printer Objects – Read/Write Manager	Grants permission to view or modify the person assigned to manage a specific printer (that is, the Managed By attribute of the printer).
Printer Objects – Rename	Grants permission to rename printer queue objects. NOTE: This AT provides no additional permissions.
Shared Folders – Create	Grants permission to create shared folder objects. NOTE: This AT provides no additional permissions.
Shared Folders – Delete	Grants permission to delete shared folder objects. NOTE: This AT provides no additional permissions.
Shared Folders – List	Grants permission to list shared folder objects. NOTE: This AT provides no additional permissions.
Shared Folders – Read/Write General Information	Grants permission to view or modify the following general information properties of shared folders: Description UNC name
Shared Folders – Read/Write Manager	Grants permission to view or modify the person assigned to manage a specific shared folder (that is, the Managed By attribute of the shared folder).
Shared Folders – Rename	Grants permission to rename shared folder objects. NOTE: This AT provides no additional permissions.
Users - Assign/Remove Digital Certificates	Grants permission to assign or remove digital (X.509) certificates to or from AD users ( that is, read or write the userCertificate attribute of user objects).
Users - Change Password (Extended Right)	Grants permission to change the password of users (that is, grants the User-Change-Password extended right).
Users - Copy	Grants the permission to copy user objects. NOTE: This AT provides no additional permissions.
Users - Create	Grants permission to create user objects. NOTE: This AT provides no additional permissions.
Users - Delete	Grants permission to delete user objects. NOTE: This AT provides no additional permissions.
Users - Deprovision	Grants permission to deprovision user objects. NOTE: This AT provides no additional permissions.
Users - Enable/Disable Account	Grants permission to enable or disable user objects. NOTE: This AT provides no additional permissions.
Users - List	Grants permission to list user objects. NOTE: This AT provides no additional permissions.
Users - Read Group Membership	Grants permission to view the list of groups the selected user is a member of. NOTE: This AT provides no additional permissions.
Users - Read/Write Account Information	Grants permission to view or modify the following account information properties of user objects: User logon name User logon name (pre-Windows 2000) Logon Hours Last Logon Account is locked out Account options Account expires
Users - Read/Write Account Restrictions	Grants permission to view or modify the account restriction properties of user objects (that is, the User-Account-Restrictions property set of user objects). For more information on the affected properties, see User-Account-Restrictions property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Dial-In Properties	Grants permission to view or modify the following dial-in specific properties of user objects: Remote Access Permission (Dial-in or VPN) Verify Caller-ID Callback Options Assign a Static IP Address Apply Static Routes Settings
Users - Read/Write General Information	Grants permission to view or modify the general information properties of user objects (that is, the General-Information property set of user objects). For more information on the affected properties, see General-Information property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Logon Information	Grants permission to view or modify the logon information properties of user objects (that is, the User-Logon property set of user objects). For more information on the affected properties, see User-Logon property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Organizational Information	Grants permission to view or modify the following organization-related properties of user objects: Title Department Company Manager Direct reports Office (General tab)
Users - Read/Write Personal Information	Grants permission to view or modify the personal information properties of user objects (that is, the Personal-Information property set of user objects). For more information on the affected properties, see Personal-Information property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Phone and Mail Options	Grants permission to view or modify the email-related information properties of user objects (that is, the Email-Information property set of user objects). For more information on the affected properties, see Email-Information property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Profile Properties	Grants permission to view or modify the following profile-related properties of user objects: User profile Home folder
Users - Read/Write Public Information	Grants permission to view or modify the public information properties of user objects (that is, the Public-Information property set of user objects). For more information on the affected properties, see Public-Information property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write Web Information	Grants permission to view or modify the web-related information properties of user objects (that is, the Web-Information property set of user objects). For more information on the affected properties, see Web-Information property set in the Microsoft Active Directory Schema documentation.
Users - Read/Write WTS Properties	Grants permission to view or modify the following user object properties describing Terminal Services-related information: Terminal Services user profile Terminal Services home folder Allow login to the terminal server Starting program Client devices Terminal Service timeout and reconnection settings
Users - Rename	Grants permission to rename user objects. NOTE: This AT provides no additional permissions.
Users - Reset Password (Extended Right)	Grants permission to reset the password of user objects (that is, grants the User-Reset-Password extended right). NOTE: This AT provides no additional permissions.
Users - Run Check Policy (Extended Right)	Grants permission to use the Check Policy action on user objects. NOTE: This AT provides no additional permissions.
Users - Undo Deprovision	Grants permission to restore user objects (that is, performing the Undo Deprovision action on them).
Users - Undo Deprovision - Deny	Grants permission to deny the restoration of user objects (that is, performing the Undo Deprovision action on them).
Users - Unlock Account	Grants permission to unlock user objects that get locked due to reaching the limit of failed login attempts set in your organization.
Users - View Change History (Extended Right)	Grants permission to use the Change History and User Activity actions on user objects.
Users - View Delegated Rights (Extended Right)	Grants permission to use the Delegated Rights action on user objects.
Users - View Digital Certificates	Grants permission to view the digital (X.509) certificates assigned to the AD user (that is, the permission to read the userCertificate attribute of user objects).
Users - View Entitlement Profile (Extended Right)	Grants permission to use the Entitlement Profile action on user objects to view the resources to which the selected user object is entitled.
Users - Write Password	Grants permission to set the password of user objects. NOTE: This AT provides no additional permissions.

Table 3: Active Directory – Best Practices for Delegating Active Directory Administration: DNS Admins Role Access Templates
Access Template	Description
DNS Admins - Microsoft DNS Management	Grants permission to perform management tasks on the Microsoft DNS servers within your organization. To delegate this AT, apply it on the following resources of your Active Directory tree in the Active Roles Console: <forest-root-domain> > ForestDnsZones > MicrosoftDNS <domain> > System > MicrosoftDNS <domain> > DomainDnsZones > MicrosoftDNS IMPORTANT: When configuring this AT, always select the Propagate permissions to Active Directory option in the Permissions Propagation step of the Delegation of Control Wizard. Figure 2: Delegation of Control Wizard – Permissions propagation For more information on how to configure ATs for resource objects in your organization with the Active Roles Console, see Applying Access Templates in the Active Roles Administration Guide.

To delegate domain configuration duties to operators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Domain Configuration Operators Role container of the Active Roles Console.

Domain configuration operators typically perform the following duties in an Active Directory (AD) organization:

Create or remove replicas, that is, additional Domain Controllers (DC).
Designate or dismiss a DC as a global catalog.
Protect and manage the Organizational Unit (OU) of the default DC.
Protect and manage the content stored in the <domain> > System container.
Raise the domain functional level.
Rename DCs.
Restore the AD environment from backups.
Transfer or seize the Relative Identifier (RID) master role.
Transfer or seize the Primary Domain Controller (PDC) emulator master role.
Transfer or seize the infrastructure master role.

Table 4: Active Directory – Best Practices for Delegating Active Directory Administration: Domain Configuration Operators Role Access Templates
Access Template	Description
Domain Configuration Operators - Domain Controllers OU Management	Grants full permission to domain configuration, applied to all classes. To delegate this AT, select the trustee(s), then apply it to the Domain Controllers container of your AD environment: <domain> > Domain Controllers
Domain Configuration Operators - Domain Management	Grants the following permissions, applied to all classes: Add or remove replicas in the domain. Modify the infrastructure master. Modify the PDC. Write the fSMORoleOwner attribute. Write the msDS-Behavior-Version attribute. To delegate this AT, select the trustee(s), then apply it on the root domain of your AD environment.
Domain Configuration Operators - Full Control for "Creator Owner"	Grants full permission in a Creator Owner role, applied to all classes. To delegate this AT, select the trustee(s) you want to assign as Creator Owner(s), then apply the AT to the site configuration container: <forest-root-domain> > Configuration > Sites
Domain Configuration Operators - Full Control on Computer Object	Grants full permission to perform domain configuration tasks on all computer objects. To delegate this AT, select the trustee(s), then apply the AT on the computer object that will be promoted to Domain Controller (DC).
Domain Configuration Operators - Infrastructure Master Management	Grants the following permissions, applied to all classes: Write the fSMORoleOwner attribute. Modify the infrastructure master. To delegate this AT, select the trustee(s), then apply the AT to the AD infrastructure container: <domain> > Infrastructure
Domain Configuration Operators - Replication Management	Grants the following domain-level configuration permissions: Manage the replication topology, applied to all classes. Replicate directory changes, applied to all classes Monitor AD replication, applied to the Directory Management Domain (DMD). Replicate all directory changes, applied to the DMD. To delegate this AT, select the trustee(s), then apply the AT to the following AD containers: <domain> <forest-root-domain> > Configuration NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container: <forest-root-domain> > Configuration > Schema To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.
Domain Configuration Operators - RID Master Management	Grants the following permissions, applied to all classes: Modify the RID master. Write the fSMORoleOwner attribute. To delegate this AT, select the trustee(s), then apply the AT to the AD RID manager container: <domain> > System > RID Managers
Domain Configuration Operators - Server Object Creation	Grants permission to create all server child objects in the domain, applied to all classes. To delegate this AT, select the trustee(s), then apply the AT to the AD server configuration container: <forest-root-domain> > Configuration > Sites > <site> > Servers
Domain Configuration Operators - Site Objects - Read All Properties	Grants permission to read all site objects in the domain, applied to all classes. To delegate this AT, select the trustee(s), then apply the AT to the AD site configuration container: <forest-root-domain> > Configuration > Sites
Domain Configuration Operators - System Container Management	Grants full permission to manage the AD System container, applied to all classes. To delegate this AT, select the trustee(s), then apply the AT to the AD system container of your domain: <domain> > System

Active Roles 8.1.2 - Built-in Access Templates Reference Guide

Active Directory – Advanced ATs

Active Directory – Best Practices ATs

Active Directory – DNS Admins Role ATs

Active Directory – Domain Configuration Operators Role ATs

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案

Active Roles 8.1.2 - Built-in Access Templates Reference Guide

Active Directory – Advanced ATs

Active Directory – Best Practices ATs

Active Directory – DNS Admins Role ATs

Active Directory – Domain Configuration Operators Role ATs