Active Directory Permissions

Author: [email protected] 77 views

Required permissions:

The Discover Account function requires read permissions granted to the Domain Account on a number of attributes that are stored in the Password Manager Data Repository for each user. The default attributes used, are shown below in the following table.

Attribute Access Description Stored
DistinguishedName
Read
The unique name in LDAP format for the user.
Yes
sAMAccountName
Read
The short unique name for the user (the old style login name).
Yes
objectClass
Read
The AD object
Yes
cn
Read
Common Name for the user.
Yes
sn
Read
Sur Name also editable in Active Directory Users and Computers.
Yes
givenName
Read
First Name also editable in Active Directory Users and Computers.
Yes
displayName
Read
Full Name also editable in Active Directory Users and Computers.
Yes
description
Read
Description also editable in Active Directory Users and Computers.
Yes
department
Read
Department also editable in Active Directory Users and Computers.
Yes
title
Read
Title also editable in Active Directory Users and Computers.
Yes
manager
Read
Manager also editable in Active Directory Users and Computers.
Yes
phone
Read
Phone also editable in Active Directory Users and Computers.
Yes
mobile
Read
Mobile Phone also editable in Active Directory Users and Computers.
Yes
mail
Read
E-mail address also editable in Active Directory Users and Computers.
Yes
lockouttime
Read
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
userAccountControl
Read
Used to determine whether a user has been disabled.
Yes
memberOf
Read
The Groups a user is member of.
Yes
primarygroupid
Read
Used to determine the primary Group of a user.
Yes
userPrincipalName
Read
The user principal name of the user.
Yes
pwdLastSet
Read
Used to determine whether a user has been locked because of too many failed login attempts.
Yes
userCertificate
Read
Used when Email Encryption is enabled.
Yes

The list of attributes can be customized and extended. When this is performed, the Read permission for these attributes must also be granted.