Active Directory object permissions appear to duplicate other permissions in Windows Server 2003

On a Microsoft Windows Server 2003-based computer, when you use the ADSI Edit utility or use Active Directory Users and Computers to view special permissions for objects in the Active Directory directory service, you see permissions that appear to duplicate other permissions. The following permissions are listed in the Permissions list on the Properties tab of the Permission Entry for ObjectName dialog box:

�	Read name
�	Write name
�	Read Name
�	Write Name

The permissions that are listed differ only by the capitalization of one character in the name. The difference between the permissions is not clear.

The permissions that appear to duplicate other permissions represent permissions for different properties of an attribute. A permission with a lowercase "n" in its name applies to the relative distinguished name of the attribute. A permission with an uppercase "N" in its name applies to the common name (CN) of the attribute.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The names of attributes that the Active Directory administrative tools display are determined by display specifiers. The display specifier defines the display name of the rdn property as "name" (without the quotation marks). The display specifier defines the display name of the cn property as "Name" (without the quotation marks).

Display specifiers are stored in locale-specific containers. The locale-specific containers are stored in the CN=DisplaySpecifiers container. The CN=DisplaySpecifiers container is stored in the Configuration container. If a display specifier is not available, the Active Directory administrative tools use the display name that is specified by the lDAPDisplayName property.

For more information about display specifiers, visit the following Microsoft Web site: