Account Permissions

The following is a list of all the permissions the service account running the Gatekeeper requires:

Permissions	Object
Domain Administrators - Full control System - Full control Authenticated users - Read	"CN=SpecopsAuthentication,CN=Specops,CN=System,DC=acme,DC=org" (recursively)
No inherited permissions Specops Authentication Gatekeepers - Full control Domain Administrators - Full control System - Full control	"CN=SystemData,CN=SpecopsAuthentication,CN=Specops,CN=System,DC=acme,DC=org"
Create and Delete	classStore objects beneath user objects
Read	userAccountControl attribute on user objects msDS-User-Account-Control-Computed attribute on user objects displayName attribute on user objects mail attribute on user objects manager attribute on user objects mobile attribute on user objects objectGUID attribute on user objects sAMAccountName attribute on user objects userAccountControl attribute on user objects msDS-PasswordSettings on user objects
Change and Reset Password	User objects
Unlock account	User objects
Change password at next logon	User objects
List child objects	User objects
Write	Mobile attribute on user objects

Note

This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.