Share via


Assign a Windows User or Group to a Role

Applies To: Windows Server 2008

Important

Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

To effectively use Authorization Manager to control access to resources, you must define which groups of users are associated with which roles. To assign a Windows user or group to a role, use the following procedure.

You must be assigned to the Authorization Manager Administratoruserrole to complete this procedure. By default, Administrators is the minimum Windows group membership assigned to this role. Review the details in "Additional considerations" in this topic.

Assign an Application group to a role

  1. If necessary, open Authorization Manager.

  2. If necessary, open or create an authorization store.

  3. In the console tree, right-click Role Assignments, under either an application or a scope, and choose New role assignment. The Role Assignments folder is used as a container to link groups to roles. Not all roles have groups associated with them since roles can be combined into larger roles.

  4. Select the role to which you want to assign groups by selecting the check box beside the name of the appropriate role definition, then click OK. The same role definition can be added to the Role Assignments container more than once. This allows flexibility in managing your assignments.

  5. If desired, change the display name of the role assignment by right-clicking it in the list of role assignments and choosing Properties.

  6. In the list of role assignments, right-click the role assignment from the previous steps, and choose Assign Users and Groups.

  7. From the fly-out menu, choose From Windows and Active Directory.

    • The standard Select Users, Computers or Groups dialog box appears.
  8. In the Enter the object names to select text box, type the user names of the desired members. Alternatively, you can search Active Directory by clicking the Advanced button.

  9. Click OK.

Additional considerations

To perform this procedure, you need to have access to an authorization store. By default, members of the Administrators group have the required access, but Authorization manager allows you to delegate responsibility. For more information, see "Additional references" in this topic.

Additional references