5.1.3.2.2 Validated Writes
In Active Directory, write access to an object's attributes is controlled by using the RIGHT_DS_WRITE_PROPERTY (WP) access right. However, that would allow any value that is permissible by the attribute schema to be written to the attribute with no value checking performed. There are cases where validation of the attribute values being written, beyond that required by the schema, is necessary before writing them to an object in order to maintain integrity constraints. Active Directory extends the standard access control mechanism to allow such additional validation semantics to be incorporated by using a mechanism called "validated write rights". The attributes to which the validated write rights apply, and the specific validations performed, are specified in section 3.1.1.5.3.1.
A validated write right is not identified by a specific bit in an access mask as the standard access rights are. Instead, each validated write right is identified by a GUID. This GUID is the value of the schemaIDGUID attribute from the attributeSchema object of the attribute where the validated write is defined. An ACE that grants or denies a validated write right specifies the RIGHT_DS_WRITE_PROPERTY_EXTENDED (VW) bit in the ACCESS_MASK field and the GUID identifying the particular validated write right in the ObjectType field of the ACE. If the ObjectType field does not contain a GUID, the ACE is deemed to control the right to perform all validated write operations associated with the object. As with control access rights, each validated write right is represented by an object of class controlAccessRight in the Extended-Rights container for convenience and easy identification by Active Directory administrative tools. Note that these objects are not integral to evaluating access to an update operation and, therefore, their presence is not required for the proper functioning of the access control mechanism. The predefined list of validated write rights in Active Directory cannot be extended by application developers.
The attributes to which the validated write rights apply to, and the specific validations performed, are specified in section 3.1.1.5.3.1.1. The following table summarizes the validated write rights, and the corresponding GUID value identifying each right, that can be specified in an ACE that is supported by applicable Windows Server releases.
The table contains information for the following products. See section 3 for more information.
A --> Windows 2000 operating system
D --> Windows Server 2003 operating system
DR2 --> Windows Server 2003 R2 operating system
K --> Windows Server 2008 operating system AD DS
L --> Windows Server 2008 AD LDS
N --> Windows Server 2008 R2 operating system AD DS
P --> Windows Server 2008 R2 AD LDS
S --> Windows Server 2012 operating system AD DS
T --> Windows Server 2012 AD LDS
V --> Windows Server 2012 R2 operating system AD DS
W --> Windows Server 2012 R2 AD LDS
Y --> Windows Server 2016 operating system AD DS
Z --> Windows Server 2016 AD LDS
B2 --> Windows Server v1709 operating system AD DS
C2 --> Windows Server v1709 AD LDS
E2 --> Windows Server v1803 operating system AD DS
F2 --> Windows Server v1803 AD LDS
H2 --> Windows Server v1809 operating system AD DS
I2 --> Windows Server v1809 AD LDS
K2 --> Windows Server 2019 operating system AD DS
L2 --> Windows Server 2019 AD LDS
Validated write right symbol
Identifying GUID used in ACE
A, D, DR2
K, N
L, P
S, V, Y, B2, E2, H2, K2
T, W, Z, C2, F2, I2, L2
Self-Membership
bf9679c0-0de6-11d0-a285-00aa003049e2 (member attribute)
X
X
X
X
X
Validated-DNS-Host-Name
72e39547-7b18-11d1-adef-00c04fd8d5cd (dNSHostName attribute)
X
X
X
Validated-MS-DS-Additional-DNS-Host-Name
80863791-dbe9-4eb8-837e-7f0ab55d9ac7 (msDS-AdditionalDnsHostName attribute)
X
Validated-MS-DS-Behavior-Version
d31a8757-2447-4545-8081-3bb610cacbf2(msDS-Behavior-Version attribute)
X
Validated-SPN
f3a64788-5306-11d1-a9c5-0000f80367c1 (servicePrincipalName attribute)
X
X
X