Share via


Apply Active Directory Schema Administrative Permissions

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

You can set permissions for performing tasks in the Active Directory Schema snap-in.

Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To apply permissions to perform a schema task

  1. Open the Active Directory Schema snap-in.

  2. In the console tree, click Active Directory Schema to connect to the domain.

  3. In the console tree, right-click Active Directory Schema, and then click Permissions.

  4. In Group or user names, select a user or group, or click Add to add a user or group.

  5. In Permissions for <user_name>, select or clear the permission that you want to grant or deny, respectively, and then click OK.

Additional considerations

  • Performing this task requires you to have schema administrator credentials, which are assigned to only the Schema Admins group. By default, only the Administrator account in the forest root domain is a member of the Schema Admins group. You can set permissions for different administrators to manage schema operations, but it is best to limit the number of schema administrators to a single highly trusted administrator in the forest.

  • If the Active Directory Schema snap-in is not installed, see Install the Active Directory Schema Snap-In.

Additional references

Installing, Securing, and Viewing the Schema