Default ACLs of New Objects - Inside Active Directory

Related to the book Inside Active Directory, ISBN 0-201-61621-1
Copyright (C) 2002 by Sakari Kouti
Version: December 21, 2001
Back to the book's Web site

ACE	Trustee	AccessMask	AceFlags	AceType	ObjectType	InheritedObjectType
OU=New OU,DC=sanao,DC=com
ACE 1	SYSTEM	Full Control		ACCESS_ALLOWED
ACE 2	Domain Admins	Full Control		ACCESS_ALLOWED
ACE 3	Account Operators	DS_CREATE_CHILD, DS_DELETE_CHILD,		ACCESS_ALLOWED_OBJECT	computer
ACE 4	Account Operators	DS_CREATE_CHILD, DS_DELETE_CHILD,		ACCESS_ALLOWED_OBJECT	user
ACE 5	Account Operators	DS_CREATE_CHILD, DS_DELETE_CHILD,		ACCESS_ALLOWED_OBJECT	group
ACE 6	Print Operators	DS_CREATE_CHILD, DS_DELETE_CHILD,		ACCESS_ALLOWED_OBJECT	printQueue
ACE 7	Authenticated Users	Read plus List Object		ACCESS_ALLOWED
ACE 8	Administrators	Full Control except Delete Child and Delete Subtree	Inherit, Inherited,	ACCESS_ALLOWED
ACE 9	Enterprise Admins	Full Control	Inherit, Inherited,	ACCESS_ALLOWED
ACE 10	Pre-Windows 2000 Compatible Access	ACTRL_DS_LIST,	Inherit, Inherited,	ACCESS_ALLOWED
ACE 11	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Remote Access Information	user
ACE 12	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	General Information	user
ACE 13	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Group Membership	user
ACE 14	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Account Restrictions	user
ACE 15	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Logon Information	user
ACE 16	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		group
ACE 17	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		user
CN=New Contact,OU=New OU,DC=sanao,DC=com
ACE 1	Domain Admins	Full Control		ACCESS_ALLOWED
ACE 2	SYSTEM	Full Control		ACCESS_ALLOWED
ACE 3	Authenticated Users	Read plus List Object		ACCESS_ALLOWED
ACE 4	Administrators	Full Control except Delete Child and Delete Subtree	Inherit, Inherited,	ACCESS_ALLOWED
ACE 5	Enterprise Admins	Full Control	Inherit, Inherited,	ACCESS_ALLOWED
ACE 6	Pre-Windows 2000 Compatible Access	ACTRL_DS_LIST,	Inherit, Inherited,	ACCESS_ALLOWED
ACE 7	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Remote Access Information	user
ACE 8	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	General Information	user
ACE 9	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Group Membership	user
ACE 10	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Account Restrictions	user
ACE 11	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Logon Information	user
ACE 12	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		group
ACE 13	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		user
CN=New Group,OU=New OU,DC=sanao,DC=com
ACE 1	Domain Admins	Full Control		ACCESS_ALLOWED
ACE 2	SYSTEM	Full Control		ACCESS_ALLOWED
ACE 3	Authenticated Users	Read plus List Object		ACCESS_ALLOWED
ACE 4	Account Operators	Full Control		ACCESS_ALLOWED
ACE 5	SELF	Read plus List Object		ACCESS_ALLOWED
ACE 6	Authenticated Users	DS_CONTROL_ACCESS,		ACCESS_ALLOWED_OBJECT	Send To
ACE 7	Administrators	Full Control except Delete Child and Delete Subtree	Inherit, Inherited,	ACCESS_ALLOWED
ACE 8	Enterprise Admins	Full Control	Inherit, Inherited,	ACCESS_ALLOWED
ACE 9	Pre-Windows 2000 Compatible Access	ACTRL_DS_LIST,	Inherit, Inherited,	ACCESS_ALLOWED
ACE 10	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Remote Access Information	user
ACE 11	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	General Information	user
ACE 12	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Group Membership	user
ACE 13	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Account Restrictions	user
ACE 14	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Logon Information	user
ACE 15	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT		group
ACE 16	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		user
CN=New User,OU=New OU,DC=sanao,DC=com
ACE 1	Domain Admins	Full Control		ACCESS_ALLOWED
ACE 2	SYSTEM	Full Control		ACCESS_ALLOWED
ACE 3	Account Operators	Full Control		ACCESS_ALLOWED
ACE 4	SELF	Read plus List Object		ACCESS_ALLOWED
ACE 5	SELF	DS_CONTROL_ACCESS,		ACCESS_ALLOWED_OBJECT	Change Password
ACE 6	SELF	DS_CONTROL_ACCESS,		ACCESS_ALLOWED_OBJECT	Send As
ACE 7	SELF	DS_CONTROL_ACCESS,		ACCESS_ALLOWED_OBJECT	Receive As
ACE 8	SELF	DS_READ_PROP, DS_WRITE_PROP,		ACCESS_ALLOWED_OBJECT	Personal Information
ACE 9	SELF	DS_READ_PROP, DS_WRITE_PROP,		ACCESS_ALLOWED_OBJECT	Phone and Mail Options
ACE 10	SELF	DS_READ_PROP, DS_WRITE_PROP,		ACCESS_ALLOWED_OBJECT	Web Information
ACE 11	RAS and IAS Servers	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Remote Access Information
ACE 12	RAS and IAS Servers	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Account Restrictions
ACE 13	RAS and IAS Servers	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Group Membership
ACE 14	Authenticated Users	READ_CONTROL,		ACCESS_ALLOWED
ACE 15	Authenticated Users	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	General Information
ACE 16	Authenticated Users	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Personal Information
ACE 17	Authenticated Users	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Web Information
ACE 18	Authenticated Users	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Public Information
ACE 19	Everyone	DS_CONTROL_ACCESS,		ACCESS_ALLOWED_OBJECT	Change Password
ACE 20	RAS and IAS Servers	DS_READ_PROP,		ACCESS_ALLOWED_OBJECT	Logon Information
ACE 21	Cert Publishers	DS_READ_PROP, DS_WRITE_PROP,		ACCESS_ALLOWED_OBJECT	userCertificate
ACE 22	Administrators	Full Control except Delete Child and Delete Subtree	Inherit, Inherited,	ACCESS_ALLOWED
ACE 23	Enterprise Admins	Full Control	Inherit, Inherited,	ACCESS_ALLOWED
ACE 24	Pre-Windows 2000 Compatible Access	ACTRL_DS_LIST,	Inherit, Inherited,	ACCESS_ALLOWED
ACE 25	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT	Remote Access Information	user
ACE 26	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT	General Information	user
ACE 27	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT	Group Membership	user
ACE 28	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT	Account Restrictions	user
ACE 29	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT	Logon Information	user
ACE 30	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		group
ACE 31	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherited,	ACCESS_ALLOWED_OBJECT		user
CN=New Shared Folder,OU=New OU,DC=sanao,DC=com
ACE 1	Domain Admins	Full Control		ACCESS_ALLOWED
ACE 2	SYSTEM	Full Control		ACCESS_ALLOWED
ACE 3	Authenticated Users	Read plus List Object		ACCESS_ALLOWED
ACE 4	Administrators	Full Control except Delete Child and Delete Subtree	Inherit, Inherited,	ACCESS_ALLOWED
ACE 5	Enterprise Admins	Full Control	Inherit, Inherited,	ACCESS_ALLOWED
ACE 6	Pre-Windows 2000 Compatible Access	ACTRL_DS_LIST,	Inherit, Inherited,	ACCESS_ALLOWED
ACE 7	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Remote Access Information	user
ACE 8	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	General Information	user
ACE 9	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Group Membership	user
ACE 10	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Account Restrictions	user
ACE 11	Pre-Windows 2000 Compatible Access	DS_READ_PROP,	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT	Logon Information	user
ACE 12	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		group
ACE 13	Pre-Windows 2000 Compatible Access	Read plus List Object	Inherit, Inherit only, Inherited,	ACCESS_ALLOWED_OBJECT		user