- After Windows Server 2003 SP1 is installed and after Active Directory performs a read access check, Active Directory checks for confidential attributes. If confidential attributes exist and if READ_PROPERTY permissions are set for these attributes, Active Directory will also require CONTROL_ACCESS permissions for the attributes or for their property sets.
Grant write permission on the attribute type that is used in the old RDN, if you want to grant the right to delete the old RDN.

Furthermore, visual representations like the one above help us fully grasp the concept of Server Attribute Permissions.
- If the value is 1, Authz uses AD LDAP and standalone server SAM queries. Close Registry Editor. ... UseGroupRecursion isn't effective if you use the AUTHZ_REQUIRE_S4U_LOGON flag when you create the Authz context. The application user has to have Read permissions for the TokenGroups attribute and for the domain-local groups of the resource domain.

- Instead of jumping between ADUC, PowerShell, file servers, and spreadsheets, you get a single console that handles everything end to end. ... Groups define access. Templates keep them consistent. You can enforce naming patterns, scopes, default members, and pre-filled attributes that prevent permission sprawl.

- To manage a target server, the connecting user must use credentials (either through their passed-through Windows credential or through credentials provided in the Windows Admin Center session using the Manage as action) that have administrative access to that target server. This is because most Windows Admin Center tools require administrative permissions to use.