Reference Material | Account Permissions
The following is a list of all the permissions the service account running the Gatekeeper requires:
| Permission | Scope |
|---|---|
| Local Administrator | Gatekeeper computer |
| Service Connection Point | Gatekeeper computer |
| Create and Delete | classStore objects beneath user objects |
| Read | - userAccountControl attribute on user objects - l attribute on user objects - co attribute on user objects - department attribute on user objects - displayName attribute on user objects - givenName attribute on user objects - title attribute on user objects - sAMAccountName attribute on user objects - mobile attribute on user objects - objectGUID attribute on user objects - postCode attribute on user objects - preferredLanguage attribute on user objects - proxyAddresses attribute on user objects - st attribute on user objects - streetAddress attribute on user objects - sn attribute on user objects - msExchUsageLocation attribute on user objects - userPrincipalName attribute on user objects - objectGUID attribute on user objects - objectSID attribute on user objects - description attribute on group objects - displayName attribute on group objects - groupType attribute on group objects - mail attribute on group objects - mailNickname, mail attribute on group objects - proxyAddresses attribute on group objects - groupType attribute on group objects - objectGUID attribute on group objects - objectSID attribute on group objects |
| List child objects | User objects |
| Write | Mobile attribute on user objects Note: This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator. |