22.214.171.124.2.1 Security Considerations
For regular object creation, the requester must have RIGHT_DS_CREATE_CHILD on the parent object for the objectClass of the object being added.
In the case of Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system, in the absence of RIGHT_DS_CREATE_CHILD, computer object creation requires that the RpcImpersonationAccessToken.Privileges field MUST have the SE_MACHINE_ACCOUNT_NAME privilege (defined in [MS-LSAD] section 126.96.36.199.1).
For application NC creation (see section 188.8.131.52.2.6), the requester must have sufficient permissions to create the crossRef object in the Partitions container on the domain naming FSMO, or to take over an existing crossRef object (in case of pre-created crossRef). See section 184.108.40.206.2.6 for more details.
If the msDS-AllowedToDelegateTo attribute is specified as a part of the add operation, then the requester must possess SE_ENABLE_DELEGATION_PRIVILEGE.
If any attributes being added are marked in the schema as partition secrets (see the SE flag in section 2.2.9), the requester must have the control access right DS-Write-Partition-Secrets on the root object of the naming context to which the modified object belongs.
Access checks are not performed for replicated updates.