Share via


Step 6: Practice Managing Authorization

Applies To: Windows Server 2008

"Authorization" refers to the process of determining which users have access to which directory objects. In Active Directory Lightweight Directory Services (AD LDS), access control lists (ACLs) on each directory object determine which users have access to that object. By default, in AD LDS, only ACLs reside in the top-level object of each directory partition. All objects in a given directory partition inherit these ACLs. For more information about ACLs, see Access Control Lists (https://go.microsoft.com/fwlink/?LinkID=96544).

AD LDS authorization management tasks include the following:

  • View permissions

  • Grant permissions

  • Deny permissions

View permissions

You can view access control in AD LDS on an object-by-object basis by using the following:

  • View permissions with the dsacls command-line tool

  • View permissions with Ldp.exe

View permissions with the dsacls command-line tool

Membership in the AD LDS Readers group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To view permissions on a directory object using dsacls

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. To list all the permissions that are currently set on the directory partition object, at the command prompt, type the following command, and then press ENTER:

    dsacls \\<servername>:<portnumber>\<object_dn>
    
    Parameter Description

    dsacls

    Displays or modifies permissions of AD DS and AD LDS objects.

    <servername>

    The name of the computer on which the AD LDS instance that holds the directory object is running.

    <portnumber>

    The communications port number on which the AD LDS instance communicates.

    <object_dn>

    The distinguished name of the directory object.

    For this exercise, type dsacls \\localhost:389\o=Microsoft,c=US, and then press ENTER.

    Your screen should contain output similar to the following:

    Access list:
    Effective Permissions on this object are:
    Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                          SPECIAL ACCESS
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL
    Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                          Replicating Directory Changes
    Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                          Replication Synchronization
    Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                          Manage Replication Topology
    Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                          Replicating Directory Changes All
    Permissions inherited to subobjects are:
    Inherited to all subobjects
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL
    The command completed successfully
    

View permissions with Ldp.exe

Membership in the AD LDS Readers group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To view permissions on a directory object using LDP.exe

  1. Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.

  2. In the navigation pane, right-click the directory partition object that you want to view the permissions for, click Advanced, and then click Security Descriptor.

    The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object.

Grant permissions

You can grant access control in AD LDS on an object-by-object basis by using the following:

  • Grant permissions with the dsacls command-line tool

  • Grant permissions with Ldp.exe

Grant permissions with the dsacls command-line tool

Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To grant permissions on a directory object using dsacls

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dsacls "\\<hostname>:<portnumber>\<object_dn>" /G "<user_or_group>":<Permissions>
    
    Parameter Description

    dsacls

    Displays or modifies permissions of AD DS and AD LDS objects.

    <hostname>

    The name of the computer on which the AD LDS instance that holds the directory object is running.

    <portnumber>

    The communications port number on which the AD LDS instance communicates.

    <object_dn>

    The distinguished name of the directory object.

    <user_or_group>

    The user or group for whom the permissions apply.

    <Permissions>

    The permissions to grant.

    /G

    Indicates that specified permissions are being granted to a specified group or user.

    For this exercise, type the following, and then press ENTER:

    dsacls "\\localhost:389\cn=AD LDS Testers,OU=AD LDS users,o=Microsoft,c=US" /G "CN=Mary North,OU=AD LDS users,o=Microsoft,c=US":SD

    This command grants the user Mary North the Delete permission on the object CN=AD LDS Testers.

    Your screen should contain output similar to the following:

    Access list:
    Effective Permissions on this object are:
    Allow CN=Mary North,OU=ADAM users,O=Microsoft,C=US
                                          SPECIAL ACCESS
                                          DELETE
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS   <Inherited from parent>
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL   <Inherited from parent>
    Permissions inherited to subobjects are:
    Inherited to all subobjects
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS   <Inherited from parent>
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL   <Inherited from parent>
    The command completed successfully
    

Grant permissions with Ldp.exe

Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To grant permissions on a directory object using LDP.exe

  1. Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.

  2. Right-click the directory partition object for which you want to view the permissions, click Advanced, and then click Security Descriptor.

    The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object.

  3. Click anywhere in the discretionary access control list (DACL), and then click Add ACE.

  4. In Trustee, type the distinguished name of the trustee (user account) that you are granting the permissions to.

  5. For ACE type, select Allow.

  6. For Access mask, select the appropriate permissions that you want to grant.

  7. Select the appropriate ACE flags.

  8. Select the appropriate Object type.

  9. Select the appropriate Inherited object type, and then click OK.

Deny permissions

You can deny access control in AD LDS on an object-by-object basis by using the following:

  • Deny permissions with the dsacls command-line tool

  • Deny permissions with Ldp.exe

Deny permissions with the dsacls command-line tool

Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To deny permissions on a directory object using dsacls

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dsacls "\\<hostname>:<portnumber>\<object_dn>" /D "<user_or_group>":<PermissionStatement>
    
    Parameter Description

    dsacls

    Displays or modifies permissions of AD DS and AD LDS objects.

    <hostname>

    The name of the computer on which the AD LDS instance that holds the directory object is running.

    <portnumber>

    The communications port number on which the AD LDS instance communicates.

    <object_dn>

    The distinguished name of the directory object.

    <user_or_group>

    The user or group for whom the permissions apply.

    <PermissionStatement>

    The permissions to deny.

    /D

    Indicates that specified permissions are being denied to a specified group or user.

    For this exercise, type dsacls “\\localhost:389\CN=AD LDS Testers,OU=AD LDS Users,o=microsoft,c=US” /D domain\administrator:SDDCDT

Note

domain\administrator represents the account with which you are currently logged on.

This command denies the Delete, Delete Child, and Delete Tree permissions on the **CN=AD LDS Testers** object for the currently logged on user.

Your screen should contain output similar to the following:

    Access list:
    Effective Permissions on this object are:
    Deny  domain\account                  SPECIAL ACCESS
                                          DELETE
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS   <Inherited from parent>
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL   <Inherited from parent>
    Permissions inherited to subobjects are:
    Inherited to all subobjects
    Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                          SPECIAL ACCESS   <Inherited from parent>
                                          READ PERMISSONS
                                          LIST CONTENTS
                                          READ PROPERTY
                                          LIST OBJECT
    Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                          FULL CONTROL   <Inherited from parent>
    The command completed successfully

Deny permissions with Ldp.exe

Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To deny permissions on a directory object using LDP.exe

  1. Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.

  2. Right-click the directory partition object for which you want to view the permissions, click Advanced, and then click Security Descriptor.

    The Security Descriptor dialog box displays all ACEs and their assigned access rights over the selected directory partition object.

  3. Click anywhere in the DACL, and then click Add ACE.

  4. In Trustee, type the distinguished name of the trustee (user account) that you are denying the permissions for.

  5. For ACE type, click Deny.

  6. For Access mask, select the appropriate permissions that you want to deny.

  7. Select the appropriate ACE flags.

  8. Select the appropriate Object type.

  9. Select the appropriate Inherited object type, and then click OK.