Security Considerations

For regular object creation, the requester must have RIGHT_DS_CREATE_CHILD on the parent object for the objectClass of the object being added.

In the case of Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system, in the absence of RIGHT_DS_CREATE_CHILD, computer object creation requires that the security constraints and state changes specified in step 13 of [MS-SAMR] section be followed.

For application NC creation (see section, the requester must have sufficient permissions to create the crossRef object in the Partitions container on the domain naming FSMO, or to take over an existing crossRef object (in case of pre-created crossRef). See section for more details.

If the msDS-AllowedToDelegateTo attribute is specified as a part of the add operation, then the requester must possess SE_ENABLE_DELEGATION_PRIVILEGE.

If any attributes being added are marked in the schema as partition secrets (see the SE flag in section 2.2.9), the requester must have the control access right DS-Write-Partition-Secrets on the root object of the naming context to which the modified object belongs.

Access checks are not performed for replicated updates.