Active Directory Permissions

Estimated reading: 2 minutes 491 views

Required permissions:

The Discover Account function requires read permissions granted to the Domain Account on a number of attributes that are stored in the Password Manager Data Repository for each user. The default attributes used, are shown below in the following table.

Attribute	Access	Description	Stored
DistinguishedName	Read	The unique name in LDAP format for the user.	Yes
sAMAccountName	Read	The short unique name for the user (the old style login name).	Yes
objectClass	Read	The AD object	Yes
cn	Read	Common Name for the user.	Yes
sn	Read	Sur Name also editable in Active Directory Users and Computers.	Yes
givenName	Read	First Name also editable in Active Directory Users and Computers.	Yes
displayName	Read	Full Name also editable in Active Directory Users and Computers.	Yes
description	Read	Description also editable in Active Directory Users and Computers.	Yes
department	Read	Department also editable in Active Directory Users and Computers.	Yes
title	Read	Title also editable in Active Directory Users and Computers.	Yes
manager	Read	Manager also editable in Active Directory Users and Computers.	Yes
phone	Read	Phone also editable in Active Directory Users and Computers.	Yes
mobile	Read	Mobile Phone also editable in Active Directory Users and Computers.	Yes
mail	Read	E-mail address also editable in Active Directory Users and Computers.	Yes
lockouttime	Read	Used to determine whether a user has been locked because of too many failed login attempts.	Yes
userAccountControl	Read	Used to determine whether a user has been disabled.	Yes
memberOf	Read	The Groups a user is member of.	Yes
primarygroupid	Read	Used to determine the primary Group of a user.	Yes
userPrincipalName	Read	The user principal name of the user.	Yes
pwdLastSet	Read	Used to determine whether a user has been locked because of too many failed login attempts.	Yes
userCertificate	Read	Used when Email Encryption is enabled.	Yes

The list of attributes can be customized and extended. When this is performed, the Read permission for these attributes must also be granted.

Active Directory Permissions

Required permissions:

Active Directory Permissions

CONTENTS