When adding members to an AD LDS group, you can add security principals that reside in AD LDS instances or in Active Directory domains. Examples of security principals are AD LDS users, and Active Directory domain users and groups.
When using the Select Objects dialog box to locate a security principal, you first need to specify the AD LDS directory partition or Active Directory domain in which the security principal resides: click Browse and select the appropriate partition or domain.
It is only possible to select security principals that reside in managed AD LDS instances or Active Directory domains; that is, you can select security principals from only the instances and domains that are registered with Active Roles.
To disable or enable an AD LDS user account
If the AD LDS user whose account you want to disable is currently logged on to the AD LDS instance, that user must log off for the new setting to take effect.
Normally, an AD LDS user is enabled when the user is created. However, if the password of a new AD LDS user does not meet the requirements of the password policy that is in effect, the newly created user account will be disabled. Before you can enable the user account, you must set a password for it that meets the password policy restrictions. For instructions, see the sub-section that follows.
Each AD LDS security principal, such as an AD LDS user, must be assigned an account and password, which AD LDS uses for authentication. You can use the Active Roles console to set or modify the password of an AD LDS user.
To set or modify the password of an AD LDS user
The AD LDS user for whom you set or modify the password must use the new password the next time that the user logs on to AD LDS.
By default, an AD LDS instance running on Windows Server 2003 or later automatically enforces any local or domain password policies that exist. If you set a password for an AD LDS user that does not meet the requirements of the password policy that is in effect, Active Roles returns an error.
To keep your AD LDS users and groups organized, you may want to place users and groups in organizational units (OUs). In AD LDS, as well as in Active Directory or other Lightweight Directory Access Protocol (LDAP)-based directories, OUs are the most commonly used method for keeping users and groups organized. To create an organizational unit in AD LDS, you can use the Active Roles console as follows.
To add an organizational unit to the directory
By default, OUs can only be added under OU (ou=), country/region (c=), organization (o=) or domain-DNS (dc=) object classes. For example, you can add an OU to o=Company,c=US but not to cn=Application,o=Company,c=US. However, the schema definition of the OU object class can be modified to allow other superiors.
You can move an existing AD LDS user or group to an organizational unit by using the Move command on that user or group in the Active Roles console, or by using the drag-and-drop feature of the console.