Extended Rights
Solution defines 2 new extended rights in AD Configuration partition. Extended rights are used by PDS to authorize password read and reset requests of users: user has to be granted respective permission to perform the password read/reset.
By default, the rights are not assigned to anyone (not even to Domain/Enterprise admins) and must be explicitly assigned so as users have ability to read/reset password of managed accounts.
Specification is in table below.
| Right | Parameter | Value |
|---|---|---|
|
|
objectClass | controlAccessRight |
| displayName | Read Administrator Password | |
| appliesTo |
bf967a86-0de6-11d0-a285-00aa003049e2 (computer objects) bf967aba-0de6-11d0-a285-00aa003049e2 (user objects) |
|
| rightsGuid | 2a72352f-f5f8-40a3-83b2-1d8562fa90c4 | |
| validAccesses | 256 See here for details | |
| showInAdvancedViewOnly | FALSE | |
|
|
objectClass | controlAccessRight |
| displayName | Reset Administrator Password | |
| appliesTo |
bf967a86-0de6-11d0-a285-00aa003049e2 (computer objects) bf967aba-0de6-11d0-a285-00aa003049e2 (user objects) |
|
| rightsGuid | 5E4DF2BA-49FB-4703-87D9-B69F00C4C039 | |
| validAccesses | 256 | |
| showInAdvancedViewOnly | FALSE |