Reference Material | Account Permissions

The following is a list of all the permissions the service account running the Gatekeeper requires:

PermissionScope
Local AdministratorGatekeeper computer
Service Connection PointGatekeeper computer
Create and DeleteclassStore objects beneath user objects
Read- userAccountControl attribute on user objects
- l attribute on user objects
- co attribute on user objects
- department attribute on user objects
- displayName attribute on user objects
- givenName attribute on user objects
- title attribute on user objects
- sAMAccountName attribute on user objects
- mobile attribute on user objects
- objectGUID attribute on user objects
- postCode attribute on user objects
- preferredLanguage attribute on user objects
- proxyAddresses attribute on user objects
- st attribute on user objects
- streetAddress attribute on user objects
- sn attribute on user objects
- msExchUsageLocation attribute on user objects
- userPrincipalName attribute on user objects
- objectGUID attribute on user objects
- objectSID attribute on user objects
- description attribute on group objects
- displayName attribute on group objects
- groupType attribute on group objects
- mail attribute on group objects
- mailNickname, mail attribute on group objects
- proxyAddresses attribute on group objects
- groupType attribute on group objects
- objectGUID attribute on group objects
- objectSID attribute on group objects
List child objectsUser objects
WriteMobile attribute on user objects

Note: This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.