Account Permissions

The following is a list of all the permissions the service account running the Gatekeeper requires:

Permission Scope
Local Administrator Gatekeeper computer
Service Connection Point Gatekeeper computer
Create and Delete classStore objects beneath user objects
Read
  • userAccountControl attribute on user objects
  • l attribute on user objects
  • co attribute on user objects
  • department attribute on user objects
  • displayName attribute on user objects
  • givenName attribute on user objects
  • title attribute on user objects
  • sAMAccountName attribute on user objects
  • mobile attribute on user objects
  • objectGUID attribute on user objects
  • postCode attribute on user objects
  • preferredLanguage attribute on user objects
  • proxyAddresses attribute on user objects
  • st attribute on user objects
  • streetAddress attribute on user objects
  • sn attribute on user objects
  • msExchUsageLocation attribute on user objects
  • userPrincipalName attribute on user objects
  • objectGUID attribute on user objects
  • objectSID attribute on user objects
  • description attribute on group objects
  • displayName attribute on group objects
  • groupType attribute on group objects
  • mail attribute on group objects
  • mailNickname, mail attribute on group objects
  • proxyAddresses attribute on group objects
  • groupType attribute on group objects
  • objectGUID attribute on group objects
  • objectSID attribute on group objects
List child objects User objects
Write Mobile attribute on user objects
This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.