Reference Material | Account Permissions
The following is a list of all the permissions the service account running the Gatekeeper requires:
Permission | Scope |
---|---|
Local Administrator | Gatekeeper computer |
Service Connection Point | Gatekeeper computer |
Create and Delete | classStore objects beneath user objects |
Read | - userAccountControl attribute on user objects - l attribute on user objects - co attribute on user objects - department attribute on user objects - displayName attribute on user objects - givenName attribute on user objects - title attribute on user objects - sAMAccountName attribute on user objects - mobile attribute on user objects - objectGUID attribute on user objects - postCode attribute on user objects - preferredLanguage attribute on user objects - proxyAddresses attribute on user objects - st attribute on user objects - streetAddress attribute on user objects - sn attribute on user objects - msExchUsageLocation attribute on user objects - userPrincipalName attribute on user objects - objectGUID attribute on user objects - objectSID attribute on user objects - description attribute on group objects - displayName attribute on group objects - groupType attribute on group objects - mail attribute on group objects - mailNickname, mail attribute on group objects - proxyAddresses attribute on group objects - groupType attribute on group objects - objectGUID attribute on group objects - objectSID attribute on group objects |
List child objects | User objects |
Write | Mobile attribute on user objects Note: This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator. |