Policy Object Access Rights

The Policy object has the following object-specific access types:

Access typeDescription
POLICY_VIEW_LOCAL_INFORMATIONThis access type is needed to read the target system's miscellaneous security policy information. This includes the default quota, auditing, server state and role information, and trust information. This access type is also needed to enumerate trusted domains, accounts, and privileges.
POLICY_GET_PRIVATE_INFORMATIONThis access type is needed to view sensitive information, such as the names of accounts established for trusted domain relationships.
POLICY_TRUST_ADMINThis access type is needed to change the account domain or primary domain information.
POLICY_SET_DEFAULT_QUOTA_LIMITSSet the default system quotas that are applied to user accounts.
POLICY_CREATE_SECRETThis access type is needed to create a new Private Data object.
POLICY_CREATE_ACCOUNTThis access type is needed to create a new Account object.
POLICY_SET_AUDIT_REQUIREMENTSThis access type is needed to update the auditing requirements of the system.
POLICY_AUDIT_LOG_ADMINThis access type is needed to change the characteristics of the audit trail such as its maximum size or the retention period for audit records, or to clear the log.
POLICY_VIEW_AUDIT_INFORMATIONThis access type is needed to view audit trail or audit requirements information.
POLICY_SERVER_ADMINThis access type is needed to modify the server state or role (master/replica) information. It is also needed to change the replica source and account name information.
POLICY_LOOKUP_NAMESThis access type is needed to translate between names and SIDs.
POLICY_CREATE_PRIVILEGENot yet supported.

 

Generic Access Masks

The Policy object publishes the following mappings from generic access types to specific access types:

    GENERIC_READ    STANDARD_RIGHTS_READ |
                    POLICY_VIEW_AUDIT_INFORMATION |
                    POLICY_GET_PRIVATE_INFORMATION

    GENERIC_WRITE   STANDARD_RIGHTS_WRITE |
                    POLICY_TRUST_ADMIN |
                    POLICY_CREATE_ACCOUNT |
                    POLICY_CREATE_SECRET |
                    POLICY_CREATE_PRIVILEGE |
                    POLICY_SET_DEFAULT_QUOTA_LIMITS |
                    POLICY_SET_AUDIT_REQUIREMENTS |
                    POLICY_AUDIT_LOG_ADMIN |
                                        POLICY_SERVER_ADMIN

    GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE |
                    POLICY_VIEW_LOCAL_INFORMATION |
                    POLICY_LOOKUP_NAMES

Standard Access Types

This object does not support the (optional) SYNCHRONIZE standard access type. All required access types are supported. The mask of all supported access types for this object type is:

    POLICY_ALL_ACCESS STANDARD_RIGHTS_REQUIRED |
                    POLICY_VIEW_LOCAL_INFORMATION |
                    POLICY_VIEW_AUDIT_INFORMATION |
                    POLICY_GET_PRIVATE_INFORMATION |
                    POLICY_TRUST_ADMIN |
                    POLICY_CREATE_ACCOUNT |
                    POLICY_CREATE_SECRET |
                    POLICY_CREATE_PRIVILEGE |
                    POLICY_SET_DEFAULT_QUOTA_LIMITS |
                    POLICY_SET_AUDIT_REQUIREMENTS |
                    POLICY_AUDIT_LOG_ADMIN |
                    POLICY_SERVER_ADMIN
                    POLICY_LOOKUP_NAMES

 

 

Show: