AdminTo
Full local admin on target computer. Execute code via SMB, WMI, or WinRM.CanRDP
Remote Desktop access to target computer.HasSession
Active user session on computer. If local admin on that host, dump credentials.MemberOf
User/group is member of target group. Inherits all rights granted to that group.GenericAll
Full control over target object. Reset password, add to group, modify attributes.GenericWrite
Write access to non-protected attributes. Abuse via SPN write or logon script.WriteOwner
Change owner of target object. Take ownership then grant full control.WriteDACL
Modify the DACL of target object. Grant self any right.ForceChangePassword
Change user password without knowing current password.AddMember
Add any principal to target group.AllExtendedRights
All extended rights on object: force-change password, read LAPS, read GMSA password. (Kerberoasting is unrelated — it only needs the target to have an SPN.)ReadLAPSPassword
Read LAPS local admin password fromms-Mcs-AdmPwd attribute.
ReadGMSAPassword
Read Group Managed Service Account password.GetChanges / GetChangesAll
Held together = DCSync rights. Dump domain hashes.AllowedToDelegate
Constrained Delegation. Impersonate any user to target service.AllowedToAct
Resource-Based Constrained Delegation (RBCD). Write tomsDS-AllowedToActOnBehalfOfOtherIdentity.
SQLAdmin
User has sysadmin rights on MSSQL instance.HasSIDHistory
Object has foreign SID insIDHistory. Can be abused for privilege escalation across trusts.