Managing AD LDS objects
The application and configuration partitions found in the managed AD LDS instances are grouped together in a top-level container, thus making it easy to locate the AD LDS data. Each partition is represented by a separate container (node) so you can browse the partition tree the same way you do for an Active Directory domain.
The Active Roles console supports a wide range of administrative operations on AD LDS users, groups and other objects, so you can create, view, modify, and delete directory objects, such as users, groups and organizational units, in the managed AD LDS instances the same way you do for directory objects in Active Directory domains.
To browse the directory tree and manage AD LDS objects
- In the console tree under the console tree root, double-click the AD LDS (ADAM) container.
- In the console tree under AD LDS (ADAM), double-click a directory partition object to view its top-level containers.
- In the console tree, double-click a top-level container to view the next level of objects in that container.
- Do one of the following:
- To move down a directory tree branch, continue double-clicking the next lowest container level in the console tree.
- To administer a directory object at the current directory level, right-click the directory object in the details pane and use commands on the shortcut menu.
In the AD LDS (ADAM) container, each directory partition is identified by a label that is composed of the name of the partition, the DNS name of the computer running the AD LDS instance that hosts the partition, and the number of the LDAP port in use by the instance.
Normally, the console only displays the application directory partitions. To view the configuration partition, switch into Raw view mode: select View | Mode, click Raw Mode, and then click OK.
You can only perform the data management tasks to which you are assigned in Active Roles. Thus, you are only shown the commands you are authorized to use and the objects you are authorized to view or modify.
In addition to access control, Active Roles provides for policy enforcement on directory data. Policies may restrict access to certain portions of directory objects, causing data entry to be limited with choice constraints, auto-generating data without the ability to modify the data, or requiring data entry. The console provides a visual indication of the data entries that are controlled by policies: the labels of such data entries are underlined on the dialog boxes so that the user can examine policy constraints by clicking a label.
Adding an AD LDS user to the directory
To enable the creation of users in AD LDS, the administrator should first import the optional definitions of user object classes that are provided with AD LDS. These definitions are provided in importable .ldf files (ms-User.ldf, ms-InetOrgPerson.ldf, ms-UserProxy.ldf), which can be found on the computer running the AD LDS instance. Alternatively, the software designers can extend the AD LDS schema with their custom definitions of AD LDS user object classes. Details on how to extend the AD LDS schema can be found in Microsoft’s documentation that comes with AD LDS.
To add an AD LDS user to the directory
- In the console tree, under AD LDS (ADAM), right-click the container to which you want to add the user, and then select New | User to start the wizard that will help you perform the user creation task.
- Follow the instructions on the wizard pages to set values for user properties.
- If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.
- After setting any additional properties for the new user, click Finish on the completion page of the wizard.
By default, an AD LDS user is enabled when the user is created. However, if you assign a new AD LDS user an inappropriate password or leave the password blank, the newly created AD LDS user account may be disabled. Thus, an AD LDS instance running on Windows Server 2003 automatically enforces any local or domain password policies that exist. If you create a new AD LDS user, and if you assign a password to that user that does not meet the requirements of the password policy that is in effect, the newly created user account will be disabled. Before you can enable the user account, you must set a password for it that meets the password policy restrictions. The instructions on how to set the password for an AD LDS user and how to enable an AD LDS user are given later in this section.
Adding an AD LDS group to the directory
AD LDS provides default groups, which reside in the Roles container of each directory partition in AD LDS. You can create additional AD LDS groups as necessary. New groups can be created in any container.
To add an AD LDS group to the directory
- In the console tree, under AD LDS (ADAM), right-click the container to which you want to add the group, and then select New | Group to start the wizard that will help you perform the group creation task.
- Follow the instructions on the wizard pages to set values for group properties.
- If you want to set values for additional properties (those for which the wizard pages do not provide data entries), click Edit Attributes on the completion page of the wizard.
- After setting any additional properties for the new group, click Finish on the completion page of the wizard.
You can add both AD LDS users and Windows users to the AD LDS groups that you create. For instructions, see the sub-section that follows.
Adding or removing members from an AD LDS group
When adding members to an AD LDS group, you can add security principals that reside in AD LDS instances or in Active Directory domains. Examples of security principals are AD LDS users, and Active Directory domain users and groups.
- To add or remove members to or from an AD LDS group
- In the console tree, under AD LDS (ADAM), locate and select the container that holds the group.
- In the details pane, right-click the group, and click Properties.
- On the Members tab in the Properties dialog box, click Add.
- Use the Select Objects dialog box to locate and select the security principals that you want to add to the group. When finished, click OK.
- On the Members tab, select the group members that you want to remove from the group, and then click Remove.
- After making the changes that you want to the group, click OK to close the Properties dialog box.
When using the Select Objects dialog box to locate a security principal, you first need to specify the AD LDS directory partition or Active Directory domain in which the security principal resides: click Browse and select the appropriate partition or domain.
It is only possible to select security principals that reside in managed AD LDS instances or Active Directory domains; that is, you can select security principals from only the instances and domains that are registered with Active Roles.