Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies and in the Active Directory security model, permissions specify, govern and control the ability of a security principal to perform a technical operation on the Active Directory object it serves to protect.
While standard operations on objects stored in and protected by Active Directory are governed by standard Active Directory permissions, there are certain operations that have special significance, and require special or extended permissions for their authorization. These special or extended permissions govern the ability of a user to perform specific Active Directory operations, or Active Directory based identity and access management operations, and are often referred to as Active Directory extended rights.
In addition, Active Directory Property Sets refer to a group of related properties (attributes) for which access control can be collectively specified in a single ACE. The ability to collectively specify access on a related set of properties simplifies access specification and management.
While standard Active Directory permissions govern standard operations on objects stored in and protected by Active Directory, certain operations require additional validation prior to being committed, above and beyond basic Schema based structure enforcement validation. Active Directory Validated Writes represent a special type of permission that facilitates pre-commit validation during write attempts to certain properties on certain Active Directory objects.