Account Permissions
The following is a list of all the permissions the service account running the Gatekeeper requires:
| Permission |
Scope |
| Local Administrator |
Gatekeeper computer |
| Service Connection Point |
Gatekeeper computer |
| Create and Delete |
classStore objects beneath user objects |
| Read |
- userAccountControl attribute on user objects
- l attribute on user objects
- co attribute on user objects
- department attribute on user objects
- displayName attribute on user objects
- givenName attribute on user objects
- title attribute on user objects
- sAMAccountName attribute on user objects
- mobile attribute on user objects
- objectGUID attribute on user objects
- postCode attribute on user objects
- preferredLanguage attribute on user objects
- proxyAddresses attribute on user objects
- st attribute on user objects
- streetAddress attribute on user objects
- sn attribute on user objects
- msExchUsageLocation attribute on user objects
- userPrincipalName attribute on user objects
- objectGUID attribute on user objects
- objectSID attribute on user objects
- description attribute on group objects
- displayName attribute on group objects
- groupType attribute on group objects
- mail attribute on group objects
- mailNickname, mail attribute on group objects
- proxyAddresses attribute on group objects
- groupType attribute on group objects
- objectGUID attribute on group objects
- objectSID attribute on group objects
|
| List child objects |
User objects |
| Write |
Mobile attribute on user objects
NOTE
This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.
|
