The following table lists the access control entries (ACEs) that domain preparation creates on the domain root. All ACEs are inherited unless otherwise noted.

ACEs Added to Domain Root

RTCUniversal-UserReadOnly-Group RTCUniversal-ServerReadOnly-Group RTCUniversal-UserAdmins RTCHSUniversal-Services Authenticated-Users

Read Container (not inherited)

Yes

Yes

No

No

No

Read User PropertySet User-Account-Restrictions

Yes

No

No

No

No

Read User PropertySet Personal-Information

Yes

No

No

No

No

Read User PropertySet General-Information

Yes

No

No

No

No

Read User PropertySet Public-Information

Yes

No

No

No

No

Read User PropertySet RTCUserSearchProperty-Set

Yes

No

No

No

Yes

Read User PropertySet RTCPropertySet

Yes

No

No

No

No

Write User Property Proxy-Addresses

No

No

Yes

No

No

Write User PropertySet RTCUserSearchProperty-Set

No

No

Yes

No

No

Write User PropertySet RTCPropertySet

No

No

Yes

No

No

Read PropertySet DS-Replication-Get-Changes of all Active Directory objects

No

No

No

Yes

No

The following table lists the ACEs that domain preparation creates in the three built-in containers: Users, Computers, and Domain Controllers. All ACEs are inherited unless otherwise noted.

ACEs Added to Built-in Containers

RTCUniversal-UserReadOnly-Group RTCUniversal-ServerReadOnly-Group

Read Container (not inherited)

Yes

Yes