U-M Windows Forest
How-To Documents
Get Help

Description of Attributes ACLs Assigned to Accounts

The following list are the ACLs applied to each delegated OU in the Accounts OU for each delegated administrative group. The effective rights to users are the permissions granted minus the permissions that are denied.

Grant to this object and all child objects:

Permission ACL Editor Name   Description
Create/Delete Child groupPolicyContainer Objects   Create/Delete Group Policy Objects
Read/Write Property gPLink   Read/Write GP Links
Read/Write Property gPOptions   Read/Write GP Options

Grant to all user objects:

Permission ACL Editor Name   Description
List Contents      
Read All Properties      
Write All Properties      
Read Permissions      
All Validated Rights      
All Extended Rights     includes password change/reset, etc.

Deny to all user objects:

Permission LDAP Property Name
(ACL Editor Name)
User GUI Tab Description
Write Property displayName General Display name

Note: This property is needed to reattach existing mailboxes. We allow this property for current LSA OUs only.
Write Property userPrincipalName
(Logon Name)
Account User logon Name
Write Property sAMAccountName
(Logon Name(pre-Win2000))
Account User logon Name (pre-Windows 2000)
Write Property userAccountControl Account Last 8 checkboxes in Account options section including "Account is Disabled"
Write Property accountExpires Account Account expires
Write Property userWorkstations Account Logon Workstation
Write Property logonHours Account Logon Hours
Write Property homeDrive Profile Home drive
Write Property homeDirectory Profile Home directory
Write Property scriptPath Profile Login script
Write Property Cn General Name
Write Property givenName General First Name
Write Property initials General Intitials
Write Property Sn General Last Name
Write Property telephoneNumber General Telephone
Write Property otherTelephone General Telephone
Write Property Web Information General Web Page
Write Property homePhone Telephones Home Phone
Write Property otherHomePhone Telephones Home Phone
Write Property pager Telephones Pager
Write Property otherPager Telephones Pager
Write Property facsimileTelephoneNumber Telephones Fax
Write Property OtherFacsimileTelephoneNumber Telephones Fax
Write Property company Organization Company
Write Property department Organization Department
Write Property Title Organization Title
Write Property altSecurityIdentities not in GUI Kerberos Mapping
Write Property umichadHidePersonalInfo not in GUI Umich Attributes
Write Property umichadNoBatchUpdates not in GUI Umich Attributes
Write Property umichadOU not in GUI Umich Attributes
Write Property umichadRole not in GUI Umich Attributes
Write Property umichadUMDirTo ADSyncFlag not in GUI Umich Attributes