Account Permissions

The following is a list of all the permissions the service account running the Gatekeeper requires:

Permissions Object

Domain Administrators - Full control

System - Full control

Authenticated users - Read

"CN=SpecopsAuthentication,CN=Specops,CN=System,DC=acme,DC=org" (recursively)

No inherited permissions

Specops Authentication Gatekeepers - Full control

Domain Administrators - Full control

System - Full control

"CN=SystemData,CN=SpecopsAuthentication,CN=Specops,CN=System,DC=acme,DC=org"
Create and Delete classStore objects beneath user objects
Read
  • userAccountControl attribute on user objects
  • msDS-User-Account-Control-Computed attribute on user objects
  • displayName attribute on user objects
  • mail attribute on user objects
  • manager attribute on user objects
  • mobile attribute on user objects
  • objectGUID attribute on user objects
  • sAMAccountName attribute on user objects
  • userAccountControl attribute on user objects
Change and Reset Password User objects
Unlock account User objects
Change password at next logon User objects
List child objects User objects
Write Mobile attribute on user objects
This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.