The provisioning directory OOTB is configured with no access controls: if you can BIND, you can modify anything. The only accounts available with access are the built-in accounts used by the Provisioning components (Servers) to update the Directory.
However it is useful to use other (shared) accounts to access the Provisioning Directory:
- - Do NOT use the built-in accounts
- - Use shared accounts whose password can be changed
- - Use a read-only account for investigation
- - Only use an account with modify access when appropriate
ATTACHED: a document explaining how to configure these