This article applies to BHCE and BHE

Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions.

Abuse Info


Having this privilege over a user grants the ability to reset the user’s password. For more information about that, see the ForceChangePassword edge section


You may perform resource-based constrained delegation with this privilege over a computer object. For more information about that, see the GenericAll edge section.


The AllExtendedRights privilege grants both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain. This can be abused using the lsadump::dcsync command in mimikatz.

Opsec Considerations

This will depend on the actual attack performed. See the particular opsec considerations sections for the ForceChangePassword, AddMembers, and GenericAll edges for more info