|
|
|
Active Directory Validated Writes
While standard Active Directory permissions govern standard operations on objects stored in and protected by Active Directory, certain operations require additional validation prior to being committed, above and beyond basic Schema based structure enforcement validation.
Validated writes represent a special type of Active Directory security permissions that facilitates pre-commit validation during write attempts to certain properties on certain Active Directory objects.
They serve to ensure that the value entered for a property conforms to required semantics, i.e. falls within an acceptable range of values, or undergoes some other special checking that would not be performed for a simple low-level write to the property.
The Active Directory security model recognizes and enforces three validated writes–
Self-Membership Validated-DNS-Host-Name Validated-SPN
These Active Directory validated writes serve to control and enforce access as follows –
-
Self-Membership – The Self-Membership validated write governs the ability of a user to add him / her to a specific security group. In particular, it allows administrators to allow users to add themselves (and only themselves) to security groups.
In the absence of this special permission, administrators would have to grant users the standard Active Directory Write Property permission which would allow the user to not only add their own account to a group, but to add or remove other users from the security group as well.
This special permission thus facilitates the secure delegation of the ability to add oneself to a group membership, to organizational users.
-
| Common Name – | Self-Membership |
| Display Name – | Add/Remove self as member |
| Rights-GUID – | c7407360-20bf-11d0-a768-00aa006e0529 |
| Applies To – | Group |
-
Validated-DNS-Host-Name – The Validated-DNS-Host-Name validated write governs the ability of a user to specify a DNS host name for a computer that is compliant with the host's computer name and domain name.
In particular, it ensures that the system only allows valid DNS names to be written to the DNS-Host-Name attribute of a computer object.
In the absence of this special permission, the standard Active Directory Write Property permission would allow the unvalidated modification of this attribute, which would allow users to specify non-compliant DNS host names, causing name-resolution errors which could disrupt network access.
-
| Common Name – | Validated-DNS-Host-Name |
| Display Name – | Validated write to DNS host name |
| Rights-GUID – | 72e39547-7b18-11d1-adef-00c04fd8d5cd |
| Applies To – | Computer |
-
Validated-SPN – The Validated-SPN validated write governs the ability of a user to specify valid Service Principal Names (SPNs) that represent unique instances of services on a specific computer.
In particular, it ensures that the system only allows valid SPNs to be written to the Service-Principal-Name attribute of a computer object, wherein validity implies that the SPN is compliant with the host name and the DNS name of the computer.
In the absence of this special permission, the standard Active Directory Write Property permission would allow the unvalidated modification of this attribute, which would allow users to specify non-compliant SPN names, causing service-mapping errors which could disrupt Kerberos mutual authentication between a service on this computer, and a client attempting to use this service.
-
| Common Name – | Validated-SPN |
| Display Name – | Validated write to service principal name |
| Rights-GUID – | f3a64788-5306-11d1-a9c5-0000f80367c1 |
| Applies To – | Computer |
|
|
