Description of Attributes ACLs Assigned to Accounts

The following list are the ACLs applied to each delegated OU in the Accounts OU for each delegated administrative group. The effective rights to users are the permissions granted minus the permissions that are denied.

Grant to this object and all child objects

Permission ACL Editor Name Description
Create/Delete Child groupPolicyContainer Objects Create/Delete Group Policy Objects
Read/Write Property gPLink Read/Write GP Links
Read/Write Property gPOptions Read/Write GP Options

Grant to all user objects

Permission ACL Editor Name Description
List Contents
Read All Properties
Write All Properties
Read Permissions
All Validated Rights
All Extended Rights includes password change/reset, etc.

Deny to all user objects

Permission LDAP Property Name
(ACL Editor Name)
User GUI Tab Description
Write Property displayName General Display name

Note: This property is needed to reattach existing mailboxes. We allow this property for current LSA OUs only.
Write Property userPrincipalName
(Logon Name)
Account User logon Name
Write Property sAMAccountName
(Logon Name(pre-Win2000))
Account User logon Name (pre-Windows 2000)
Write Property userAccountControl Account Last 8 checkboxes in Account options section including "Account is Disabled"
Write Property accountExpires Account Account expires
Write Property userWorkstations Account Logon Workstation
Write Property logonHours Account Logon Hours
Write Property homeDrive Profile Home drive
Write Property homeDirectory Profile Home directory
Write Property scriptPath Profile Login script
Write Property Cn General Name
Write Property givenName General First Name
Write Property initials General Intitials
Write Property Sn General Last Name
Write Property telephoneNumber General Telephone
Write Property otherTelephone General Telephone
Write Property Web Information General Web Page
Write Property homePhone Telephones Home Phone
Write Property otherHomePhone Telephones Home Phone
Write Property pager Telephones Pager
Write Property otherPager Telephones Pager
Write Property facsimileTelephoneNumber Telephones Fax
Write Property OtherFacsimileTelephoneNumber Telephones Fax
Write Property company Organization Company
Write Property department Organization Department
Write Property Title Organization Title
Write Property altSecurityIdentities not in GUI Kerberos Mapping
Write Property umichadHidePersonalInfo not in GUI Umich Attributes
Write Property umichadNoBatchUpdates not in GUI Umich Attributes
Write Property umichadOU not in GUI Umich Attributes
Write Property umichadRole not in GUI Umich Attributes
Write Property umichadUMDirTo ADSyncFlag not in GUI Umich Attributes
Last Updated: 
Friday, November 22, 2019