Account Operators
SID: S-1-5-32-548
TYPE: BUILTIN
Exists
only on domain controllers. By default, the group has no members. By
default, Account Operators have permission to create, modify, and
delete accounts for users, groups, and computers in all containers and
organizational units (OUs) of Active Directory except the Builtin
container and the Domain Controllers OU. Account Operators do not have
permission to modify the Administrators and Domain Admins groups, nor
do they have permission to modify the accounts for members of those
groups.
Administrators
SID: S-1-5-32-544
TYPE: BUILTIN
After
the initial installation of the operating system, the only member of
the group is the Administrator account. When a computer joins a domain,
the Domain Admins group is added to the Administrators group. When a
server becomes a domain controller, the Enterprise Admins group also is
added to the Administrators group. The Administrators group has
built-in capabilities that give its members full control over the
system. The group is the default owner of any object that is created by
a member of the group.
Authenticated Users
SID: S-1-5-11
A
group that includes all users whose identities were authenticated when
they logged on. Membership is controlled by the operating system.
Backup Operators
SID: S-1-5-32-551
TYPE: BUILTIN
By
default, the group has no members. Backup Operators can back up and
restore all files on a computer, regardless of the permissions that
protect those files. Backup Operators also can log on to the computer
and shut it down.
Batch
SID: S-1-5-3
A
group that implicitly includes all users who have logged on through a
batch queue facility such as task scheduler jobs. Membership is
controlled by the operating system.
Cert Publishers
SID: S-1-5-domain-517
TYPE: Global Group
Includes
all computers that are running an enterprise certificate authority.
Cert Publishers are authorized to publish certificates for User objects
in Active Directory.
Cert Requesters
SID: S-1-5-domain-517
TYPE: Domain Local Group
Members can request certificates
Creator Group
SID: S-1-3-1
A
placeholder in an inheritable ACE. When the ACE is inherited, the
system replaces this SID with the SID for the primary group of the
object's current owner. The primary group is used only by the POSIX
subsystem.
Dialup
SID: S-1-5-1
A group
that implicitly includes all users who are logged on to the system
through a dial-up connection. Membership is controlled by the operating
system.
Distributed COM Users
SID: S-1-5-32-562
TYPE: BUILTIN
An
alias. A group for COM to provide computerwide access controls that
govern access to all call, activation, or launch requests on the
computer.
Domain Admins
SID: S-1-5-domain-512
TYPE: Global Group
Members
are authorized to administer the domain. By default, the Domain Admins
group is a member of the Administrators group on all computers that
have joined a domain, including the domain controllers. Domain Admins
is the default owner of any object that is created in the domain's
Active Directory by any member of the group. If members of the group
create other objects, such as files, the default owner is the
Administrators group.
Domain Computers
SID: S-1-5-domain-515
TYPE: Global Group
Includes all computers that have joined the domain, excluding domain controllers.
Domain Controllers
SID: S-1-5-domain-516
TYPE: Global Group
Includes all domain controllers in the domain. New domain controllers are added to this group automatically.
Domain Guests
SID: S-1-5-domain-514
TYPE: Global Group
By default, has only one member, the domain's built-in Guest account.
Domain Users
SID: S-1-5-domain-513
TYPE: Global Group
By
default, includes all user accounts in a domain. When you create a user
account in a domain, it is added to this group automatically.
Enterprise Admins
SID: S-1-5-root domain-519
TYPE: Universal Group
A
group that exists only in the root domain of an Active Directory forest
of domains. It is a universal group if the domain is in native mode, a
global group if the domain is in mixed mode. The group is authorized to
make forest-wide changes in Active Directory, such as adding child
domains. By default, the only member of the group is the Administrator
account for the forest root domain.
Enterprise Controllers
SID: S-1-5-9
A
group that includes all domain controllers an Active Directory
directory service forest of domains. Membership is controlled by the
operating system.
Everyone
SID: S-1-1-0
A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.
Group Policy Creators Owners
SID: S-1-5-domain-520
TYPE: Global Group
Authorized
to create new Group Policy objects in Active Directory. By default, the
only member of the group is Administrator. The default owner of a new
Group Policy object is usually the user who created it. If the user is
a member of Administrators or Domain Admins, all objects that are
created by the user are owned by the group. Owners have full control of
the objects they own.
Guests
SID: S-1-5-32-546
TYPE BUILTIN
By
default, the only member is the Guest account. The Guests group allows
occasional or one-time users to log on with limited privileges to a
computer's built-in Guest account.
HelpServicesGroup
Group for the Help and Support Center
Incoming Forest Trust Builders
SID: S-1-5-32-557
TYPE: BUILTIN
An alias. Members of this group can create incoming, one-way trusts to this forest.
Interactive
SID: S-1-5-4
A group that includes all users who have logged on interactively. Membership is controlled by the operating system.
Network
SID: S-1-5-2
A
group that implicitly includes all users who are logged on through a
network connection. Membership is controlled by the operating system.
Network Configuration Operators
SID: S-1-5-32-556
TYPE: BUILTIN
An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
Performance Monitor Users
SID: S-1-5-32-558
TYPE: BUILTIN
An alias. Members of this group have remote access to monitor this computer.
Performance Log Users
SID: S-1-5-32-559
TYPE: BUILTIN
An alias. Members of this group have remote access to schedule logging of performance counters on this computer.
Power Users
SID: S-1-5-32-548
TYPE: BUILTIN
By
default, the group has no members. This group does not exist on domain
controllers. Power Users can create local users and groups; modify and
delete accounts that they have created; and remove users from the Power
Users, Users, and Guests groups. Power Users also can install most
applications; create, manage, and delete local printers; and create and
delete file shares.
Pre-Windows 2000 Compatible Access
SID: S-1-5-32-554
A backward compatibility group which allows read access on all users and groups in the domain
Principal Self or Self
SID: S-1-5-10
A
placeholder in an ACE on a user, group, or computer object in Active
Directory. When you grant permissions to Principal Self, you grant them
to the security principal represented by the object. During an access
check, the operating system replaces the SID for Principal Self with
the SID for the security principal represented by the object.
Print Operators
SID: S-1-5-32-550
TYPE: BUILTIN
Exists
only on domain controllers. By default, the only member is the Domain
Users group. Print Operators can manage printers and document queues.
RAS and IAS Servers
SID: S-1-5-domain-533
TYPE: Domain Local Group
By
default, this group has no members. Computers that are running the
Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User
objects, such as Read Account Restrictions, Read Logon Information, and
Read Remote Access Information.
Remote Desktop Users
SID: S-1-5-32-555
Members in this group are granted the right to logon remotely
Replicators
SID: S-1-5-32-552
Windows
NT domains, this group is called Replicators and is used by the
directory replication service. In 2K/XP the group is present but is not
used.
Schema Admins
SID: S-1-5-root domain-518
TYPE: Universal Group
A
group that exists only in the root domain of an Active Directory forest
of domains. It is a universal group if the domain is in native mode , a
global group if the domain is in mixed mode . The group is authorized
to make schema changes in Active Directory. By default, the only member
of the group is the Administrator account for the forest root domain.
Server Operators
SID: S-1-5-32-549
TYPE: BUILTIN
Exists
only on domain controllers. By default, the group has no members.
Server Operators can log on to a server interactively; create and
delete network shares; start and stop services; back up and restore
files; format the hard disk of the computer; and shut down the
computer.
Service
SID: S-1-5-6
A group
that includes all security principals that have logged on as a service.
Membership is controlled by the operating system.
Terminal Server License Servers
SID: S-1-5-32-561
TYPE: BUILTIN
An
alias. A group for Terminal Server License Servers. When Windows Server
2003 Service Pack 1 is installed, a new local group is created.
Terminal Server Users
SID: S-1-5-13
TYPE: BUILTIN
A
group that includes all users who have logged on to a Terminal Services
server. Membership is controlled by the operating system.
Users
SID: S-1-5-32-545
TYPE: BUILTIN
After
the initial installation of the operating system, the only member is
the Authenticated Users group. When a computer joins a domain, the
Domain Users group is added to the Users group on the computer. Users
can perform tasks such as running applications, using local and network
printers, shutting down the computer, and locking the computer. Users
can install applications that only they are allowed to use if the
installation program of the application supports per-user installation.
Windows Authorization Access Group
SID: S-1-5-32-560
TYPE: BUILTIN
An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.
To better understand, report or manage Windows groups see: Winzero GroupManagerPlus
Wednesday, April 16, 2008
Windows Groups
Monday, February 25, 2008
New Attributes in Windows 2008
ms-DS-AuthenticatedAt-DC
Forward link for ms-DS-AuthenticatedTo-Accountlist; for a User, identifies which DC a user has authenticated to
ms-DS-AuthenticatedTo-Accountlist
Back link for ms-DS-AuthenticatedAt-DC; for a Computer, identifies which users have authenticated to this Computer
ms-DS-Az-Object-Guid
The unique and portable identifier of AzMan objects
ms-DS-Az-Generic-Data
AzMan specific generic data
ms-DS-isGC
For a Directory instance (DSA), Identifies the state of the Global Catalogue on the DSA
ms-DS-isRODC
For a Directory instance (DSA), Identifies whether the DSA is a Read-Only DSA
ms-DS-Maximum-Password-Age
Maximum password age for user accounts.
ms-DS-Minimum-Password-Age
Minimum password age for user accounts.
ms-DS-Minimum-Password-Length
Minimum password length for user accounts.
ms-DS-Password-History-Length
Password history length for user accounts.
ms-DS-Password-Complexity-Enabled
Password complexity status for user accounts.
ms-DS-Password-Reversible-Encryption-Enabled
Password reversible encryption status for user accounts.
ms-DS-Lockout-Observation-Window
Observation window for lockout of user accounts.
ms-DS-Lockout-Duration
Duration of lockout for locked out user accounts.
ms-DS-Lockout-Threshold
Lockout threshold for user accounts
ms-DS-PSO-Applies-To
Links to objects that this password settings object applies to.
ms-DS-PSO-Applied
Password settings object applied to this object.
ms-DS-Resultant-PSO
Resultant password settings object applied to this object.
ms-DS-Password-Settings-Precedence
Password settings precedence.
ms-DS-NC-Type
A bit field that maintains information about aspects of a NC replica that is relevant to replication.
ms-DS-Phonetic-First-Name
Contains the phonetic given name or first name of the person.
ms-DS-Phonetic-Last-Name
Contains the phonetic last name of the person.
ms-DS-Phonetic-Department
Contains the phonetic department name where the person works.
ms-DS-Phonetic-Company-Name
Contains the phonetic company name where the person works.
ms-DS-Phonetic-Display-Name
The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.
ms-DS-HAB-Seniority-Index
Contains the seniority index as applied by the organization where the person works.
ms-DS-Promotion-Settings
For a Computer, contains a XML string to be used for delegated DSA promotion
ms-DS-SiteName
For a Directory instance (DSA), Identifies the site name that contains the DSA
ms-DS-Supported-Encryption-Types
The
encryption algorithms supported by user, computer or trust accounts.
The KDC uses this information while generating a service ticket for
this account. Services/Computers may automatically update this
attribute on their respective accounts in Active Directory, and
therefore need write access to this attribute.
ms-DS-Principal-Name
Account name for the security principal (constructed).
ms-DS-NC-RO-Replica-Locations
A
linked attribute on a cross ref object for a partition. This attribute
lists the DSA instances which should host the partition in a read-only
manner.
ms-DS-NC-RO-Replica-Locations-BL
Back link attribute for ms-DS-NC-RO-Replica-Locations
ms-DS-User-Password-Expiry-Time-Computed
Contains the expiry time for the user's current password
ms-DS-KrbTgt-Link
For
a computer, Identifies the user object (krbtgt), acting as the domain
or secondary domain master secret. Depends on which domain or secondary
domain the computer resides in.
ms-DS-Revealed-Users
For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance
ms-DS-Has-Full-Replica-NCs
For a Directory instance (DSA), identifies the partitions held as full replicas
ms-DS-Never-Reveal-Group
For
a Directory instance (DSA), identifies the security group whose users
will never have their secrets disclosed to that instance
ms-DS-Reveal-OnDemand-Group
For a Directory instance (DSA), identifies the security group whose users may have their secrets disclosed to that instance
ms-DS-Secondary-KrbTgt-Number
For
a user object (krbtgt), acting as a secondary domain master secret,
identifies the protocol identification number associated with the
secondary domain.
ms-DS-Revealed-DSAs
Back link for ms-DS-Revealed-Users; for a user, identifies which Directory instances (DSA) hold that user's secret
ms-DS-KrbTgt-Link-BL
Back
link for ms-DS-KrbTgt-Link; for a user object (krbtgt) acting as a
domain or secondary domain master secret, identifies which computers
are in that domain or secondary domain
ms-DS-Is-Full-Replica-For
Back
link for ms-Ds-Has-Full-Replica-NCs; for a partition root object,
identifies which Directory instances (DSA) hold that partition as a
full replica
ms-DS-Is-Domain-For
Back link
for ms-DS-Has-Domain-NCs; for a partition root object, identifies which
Directory instances (DSA) hold that partition as their primary domain
ms-DS-Is-Partial-Replica-For
Back
link for has-Partial-Replica-NCs; for a partition root object,
identifies which Directory instances (DSA) hold that partition as a
partial replica
ms-DS-Is-User-Cachable-At-Rodc
For a Read-only (RO) directory Instance (DSA) identifies whether the specified user's secrets are cacheable
ms-DS-Revealed-List
For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance
ms-DS-Revealed-List-BL
Back link attribute for ms-DS-Revealed-List.
ms-DS-Last-Successful-Interactive-Logon-Time
The time that the correct password was presented during a C-A-D logon.
ms-DS-Last-Failed-Interactive-Logon-Time
The time that an incorrect password was presented during a C-A-D logon.
ms-DS-Failed-Interactive-Logon-Count
The total number of failed interactive logons since this feature was turned on.
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon
The total number of failed interactive logons up until the last successful C-A-D logon.
ms-DFSR-Priority
Priority level
ms-DFSR-DeletedPath
Full path of the Deleted directory
ms-DFSR-DeletedSizeInMb
Size of the Deleted directory in MB
ms-DFSR-ReadOnly
Specify whether the content is read-only or read-write
ms-DFSR-CachePolicy
On-demand cache policy options
ms-DFSR-MinDurationCacheInMin
Minimum time in minutes before truncating files
ms-DFSR-MaxAgeInCacheInMin
Maximum time in minutes to keep files in full form
ms-FVE-RecoveryPassword
This attribute contains the password required to recover a Full Volume
ms-FVE-VolumeGuid
This attribute contains the GUID that is associated with the Bit locker-supported volume
ms-FVE-KeyPackage
This attribute contains a volume's Bit locker encryption key, secured by the corresponding password.
ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.
ms-TPM-OwnerInformation
This attribute contains the owner information for a particular TPM.
ms-net-ieee-80211-GP-PolicyGUID
This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
ms-net-ieee-80211-GP-PolicyData
This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
ms-net-ieee-80211-GP-PolicyReserved
Reserved for future use
ms-net-ieee-8023-GP-PolicyGUID
This attribute contains a GUID which identifies a specific 802.3 group policy object on the domain.
ms-net-ieee-8023-GP-PolicyData
This attribute contains all of the settings and data which comprise a group policy configuration for 802.3 wired networks.
ms-net-ieee-8023-GP-PolicyReserved
Reserved for future use
ms-PKI-RoamingTimeStamp
Time stamp for last change to roaming tokens
ms-PKI-DPAPIMasterKeys
Storage of encrypted DPAPI Master Keys for user
ms-PKI-AccountCredentials
Storage of encrypted user credential token blobs for roaming
ms-RADIUS-FramedInterfaceId
This Attribute indicates the IPv6 interface identifier to be configured for the user.
ms-RADIUS-SavedFramedInterfaceId
This Attribute indicates the IPv6 interface identifier to be configured for the user.
ms-RADIUS-FramedIpv6Prefix
This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.
ms-RADIUS-SavedFramedIpv6Prefix
This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.
ms-RADIUS-FramedIpv6Route
This Attribute provides routing information to be configured for the user on the NAS.
ms-RADIUS-SavedFramedIpv6Route
This Attribute provides routing information to be configured for the user on the NAS.
SAM-Domain-Updates
Contains a bitmask of performed SAM operations on active directory
ms-TS-Profile-Path
Terminal
Services Profile Path specifies a roaming or mandatory profile path to
use when the user logs on to the Terminal Server. The profile path is
in the following network path format: \\servername\profiles folder
name\username
ms-TS-Home-Directory
Terminal
Services Home Directory specifies the Home directory for the user. Each
user on a Terminal Server has a unique home directory. This ensures
that application information is stored separately for each user in a
multi-user environment. To set a home directory on the local computer,
specify a local path; for example, C:\Path. To set a home directory in
a network environment, you must first set the TerminalServicesHomeDrive
property, and then set this property to a UNC path.
ms-TS-Home-Drive
Terminal
Services Home Drive specifies a Home drive for the user. In a network
environment, this property is a string containing a drive specification
(a drive letter followed by a colon) to which the UNC path specified in
the TerminalServicesHomeDirectory property is mapped. To set a home
directory in a network environment, you must first set this property
and then set the TerminalServicesHomeDirectory property.
ms-TS-Allow-Logon
Terminal
Services Allow Logon specifies whether the user is allowed to log on to
the Terminal Server. The value is 1 if logon is allowed and 0 if logon
is not allowed.
ms-TS-Remote-Control
Terminal
Services Remote Control specifies the whether to allow remote
observation or remote control of the user's Terminal Services session.
For a description of these values, see the RemoteControl method of the
Win32_TSRemoteControlSetting WMI class.
0 – Disable
1 – EnableInputNotify
2 – EnableInputNoNotify
3 - EnableNoInputNotify
4 - EnableNoInputNoNotify
ms-TS-Max-Disconnection-Time
Terminal
Services Session Maximum Disconnection Time is maximum amount of time,
in minutes, that a disconnected Terminal Services session remains
active on the Terminal Server. After the specified number of minutes
has elapsed, the session is terminated.
ms-TS-Max-Connection-Time
Terminal
Services Session maximum Connection Time is Maximum duration, in
minutes, of the Terminal Services session. After the specified number
of minutes has elapsed, the session can be disconnected or terminated.
ms-TS-Max-Idle-Time
Terminal
Services Session Maximum Idle Time is maximum amount of time, in
minutes, that the Terminal Services session can remain idle. After the
specified number of minutes has elapsed, the session can be
disconnected or terminated.
ms-TS-Reconnection-Action
Terminal
Services Session Reconnection Action specifies whether to allow
reconnection to a disconnected Terminal Services session from any
client computer. The value is 1 if reconnection is allowed from the
original client computer only and 0 if reconnection from any client
computer is allowed.
ms-TS-Broken-Connection-Action
Terminal
Services Session Broken Connection Action specifies the action to take
when a Terminal Services session limit is reached. The value is 1 if
the client session should be terminated and 0 if the client session
should be disconnected.
ms-TS-Connect-Client-Drives
Terminal
Services Session Connect Client Drives At Logon specifies whether to
reconnect to mapped client drives at logon. The value is 1 if
reconnection is enabled and 0 if reconnection is disabled.
ms-TS-Connect-Printer-Drives
Terminal
Services Session Connect Printer Drives At Logon specifies whether to
reconnect to mapped client printers at logon. The value is 1 if
reconnection is enabled and 0 if reconnection is disabled.
ms-TS-Default-To-Main-Printer
Terminal
Services Default To Main Printer specifies whether to print
automatically to the client's default printer. The value is 1 if
printing to the client's default printer is enabled and 0 if it is
disabled.
ms-TS-Work-Directory
Terminal
Services Session Work Directory specifies the working directory path
for the user. To set an initial application to start when the user logs
on to the Terminal Server, you must first set the
TerminalServicesInitialProgram property, and then set this property.
ms-TS-Initial-Program
Terminal
Services Session Initial Program specifies the Path and file name of
the application that the user wants to start automatically when the
user logs on to the Terminal Server. To set an initial application to
start when the user logs on, you must first set this property and then
set the TerminalServicesWorkDirectory property. If you set only the
TerminalServicesInitialProgram property, the application starts in the
user's session in the default user directory.
MS-TS-Property01
Placeholder Terminal Server Property
MS-TS-Property02
Placeholder Terminal Server Property
MS-TS-ExpireDate
TS Expiration Date
MS-TS-ExpireDate2
Expiration date of the second TS per user CAL.
MS-TS-ExpireDate3
Expiration date of the third TS per user CAL.
MS-TS-ExpireDate4
Expiration date of the third TS per user CAL.
MS-TS-LicenseVersion
TS License Version
MS-TS-LicenseVersion2
Version of the second TS per user CAL.
MS-TS-LicenseVersion3
Version of the third TS per user CAL
MS-TS-LicenseVersion4
Version of the fourth TS per user CAL.
MS-TS-ManagingLS
TS Managing License Server
MS-TS-ManagingLS2
Issuer name of the second TS per user CAL.
MS-TS-ManagingLS3
Issuer name of the third TS per user CAL.
MS-TS-ManagingLS4
Issuer name of the fourth TS per user CAL.
MS-TSLS-Property01
Placeholder Terminal Server Property 01
MS-TSLS-Property02
Placeholder Terminal Server Property 01
ms-DFSR-DisablePacketPrivacy
Disable packet privacy on a connection
ms-DFSR-DefaultCompressionExclusionFilter
Filter string containing extensions of file types not to be compressed
ms-DFSR-OnDemandExclusionFileFilter
Filter string applied to on demand replication files
ms-DFSR-OnDemandExclusionDirectoryFilter
Filter string applied to on demand replication directories
ms-DFSR-Options2
Object Options2
ms-DFSR-CommonStagingPath
Full path of the common staging directory
ms-DFSR-CommonStagingSizeInMb
Size of the common staging directory in MB
ms-DFSR-StagingCleanupTriggerInPercent
Staging cleanup trigger in percent of free disk space
Saturday, February 23, 2008
New Classes in Windows 2008
New Classes in Windows 2008
ms-DS-Password-Settings
ms-DS-Password-Settings-Container
NTDS-DSA-RO
ms-net-ieee-80211-GroupPolicy
ms-net-ieee-8023-GroupPolicy
ms-FVE-RecoveryInformation
New Inclusions in the GC for Windows 2008
Last-Logon-Timestamp
This
is the time that the user last logged into the domain. Whenever a user
logs on, the value of this attribute is read from the DC. If the value
is older [current_time - msDS-LogonTimeSyncInterval], the value is
updated. The initial update after the raise of the domain functional
level is calculated as 14 days minus random percentage of 5 days
MS-DRM-Identity-Certificate
The XrML digital rights management certificates for this user.
ms-DS-Phonetic-First-Name
Contains the phonetic given name or first name of the person
ms-DS-Phonetic-Last-Name
Contains the phonetic last name of the person.
ms-DS-Phonetic-Department
Contains the phonetic department name where the person works
ms-DS-Phonetic-Company-Name
Contains the phonetic company name where the person works.
ms-DS-Phonetic-Display-Name
The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.
ms-DS-HAB-Seniority-Index
Contains the seniority index as applied by the organization where the person works.
ms-FVE-VolumeGuid
This attribute contains the GUID that is associated with the Bit locker-supported volume.
ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.
Friday, November 30, 2007
Tuesday, November 13, 2007
How to Change System Only Attributes
Using ADSearch allows you to extract object properties, however, not
all properties of an object are changable. If you need to change Active
Directory object properties that are set as system only there is a
registry key setting that will allow you to set these properties.
I strongly recommend caution when changing system only properties.
By adding a registry key to the PDC Emulator or FSMO DC the registry key will allow you to change system-only attributes.
Key: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\NTDS\Parameters
Value name: Allow System Only Change
Data type: REG_DWORD
Value data: 1
