While exploring ACLs on user objects in Windows 2000 Active Directory (AD), I noticed a special subject called SELF. What is this subject, and what exactly is its purpose?

SELF is specific to AD—you won't find this subject in ACLs for objects outside AD (e.g., files, folders). SELF lets you control what users can do to their accounts. SELF comes in handy because you can use it to define—at the organizational unit (OU) level—which operations your users can perform on themselves; you don't need to edit each user object's ACL.

Child objects (e.g., user accounts) in an OU inherit the permissions that you set on the OU. Therefore, if you want to let all users in an OU perform certain operations on their accounts, you can create an OU-level access control entry (ACE) for which the subject is SELF and the Apply onto field is User objects. For example, if you want users in the SalesReps OU to be responsible for keeping their phone numbers and email addresses up-to-date, you can add an ACE to the SalesReps OU that grants all its members SELF Write access to Phone and Mail options, as Figure 2 shows.