What do the “Read personal information” and “Write personal information” Active Directory permissions entail

active-directory

I have a user account in an Active Directory domain. Despite this user account having the Read personal information and Write personal information permissions set, when logged in as this user, I cannot change their first name or surname.

What actual access do the permissions Read personal information and Write personal information entail? Is there any easy way to find out for any of the "general" permissions (i.e. any permission that isn't Read/Write thisAndThat attribute)?

The DC is a Windows 2012 machine and I'm accessing it using Active Directory Users and Computers (dsa.msc) from Windows 7 SP1.

Best Answer

According to this article, those permissions affect these attributes:

streetAddress

homePostalAddress

assistant

info

country/region name

facsimileTelephoneNumber (fax number)

International-ISDN-Number

Locality-Name

MSMQ-Digests

mSMQSignCertificates

Personal-Title

Phone-Fax-Other

Phone-Home-Other

Phone-Home-Primary

otherIpPhone

ipPhonenumber

primaryInternationalISDNNumber Phone-ISDN-Primary

Phone-Mobile-Other (otherMobile)

Phone-Mobile-Primary

Phone-Office-Other (otherTelephone)

Phone-Pager-Other

Phone-Pager-Primary

physicalDeliveryOfficeName

thumbnailPhoto (Picture)

postalCode

preferredDeliveryMethod

registeredAddress

State-Or-Province-Name

Street-Address

telephoneNumber

teletexTerminalIdentifier

telexNumber

primaryTelexNumber

userCert

User-Shared-Folder

User-Shared-Folder-Other

userSMIMECertificate

x121Address

X509-Cert

The user's name is not included in this list, so those aren't the proper permissions to grant. "General Information" is the category you'll find the name under.

Related Topic