Step 6: Practice Managing Authorization
Applies To: Windows Server 2008
"Authorization" refers to the process of determining which users have access to which directory objects. In Active Directory Lightweight Directory Services (AD LDS), access control lists (ACLs) on each directory object determine which users have access to that object. By default, in AD LDS, only ACLs reside in the top-level object of each directory partition. All objects in a given directory partition inherit these ACLs. For more information about ACLs, see Access Control Lists (https://go.microsoft.com/fwlink/?LinkID=96544).
AD LDS authorization management tasks include the following:
View permissions
Grant permissions
Deny permissions
View permissions
You can view access control in AD LDS on an object-by-object basis by using the following:
View permissions with the dsacls command-line tool
View permissions with Ldp.exe
View permissions with the dsacls command-line tool
Membership in the AD LDS Readers group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To view permissions on a directory object using dsacls
Click Start, right-click Command Prompt, and then click Run as administrator.
To list all the permissions that are currently set on the directory partition object, at the command prompt, type the following command, and then press ENTER:
dsacls \\<servername>:<portnumber>\<object_dn>Parameter Description dsacls
Displays or modifies permissions of AD DS and AD LDS objects.
<servername>
The name of the computer on which the AD LDS instance that holds the directory object is running.
<portnumber>
The communications port number on which the AD LDS instance communicates.
<object_dn>
The distinguished name of the directory object.
For this exercise, type dsacls \\localhost:389\o=Microsoft,c=US, and then press ENTER.
Your screen should contain output similar to the following:
Access list: Effective Permissions on this object are: Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E} SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow CN=Readers,CN=Roles,O=Microsoft,C=US SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow CN=Administrators,CN=Roles,O=Microsoft,C=US FULL CONTROL Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E} Replicating Directory Changes Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E} Replication Synchronization Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E} Manage Replication Topology Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E} Replicating Directory Changes All Permissions inherited to subobjects are: Inherited to all subobjects Allow CN=Readers,CN=Roles,O=Microsoft,C=US SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow CN=Administrators,CN=Roles,O=Microsoft,C=US FULL CONTROL The command completed successfully
View permissions with Ldp.exe
Membership in the AD LDS Readers group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To view permissions on a directory object using LDP.exe
Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.
In the navigation pane, right-click the directory partition object that you want to view the permissions for, click Advanced, and then click Security Descriptor.
The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object.
Grant permissions
You can grant access control in AD LDS on an object-by-object basis by using the following:
Grant permissions with the dsacls command-line tool
Grant permissions with Ldp.exe
Grant permissions with the dsacls command-line tool
Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To grant permissions on a directory object using dsacls
Click Start, right-click Command Prompt, and then click Run as administrator.
At the command prompt, type the following command, and then press ENTER:
dsacls "\\<hostname>:<portnumber>\<object_dn>" /G "<user_or_group>":<Permissions>Parameter Description dsacls
Displays or modifies permissions of AD DS and AD LDS objects.
<hostname>
The name of the computer on which the AD LDS instance that holds the directory object is running.
<portnumber>
The communications port number on which the AD LDS instance communicates.
<object_dn>
The distinguished name of the directory object.
<user_or_group>
The user or group for whom the permissions apply.
<Permissions>
The permissions to grant.
/G
Indicates that specified permissions are being granted to a specified group or user.
For this exercise, type the following, and then press ENTER:
dsacls "\\localhost:389\cn=AD LDS Testers,OU=AD LDS users,o=Microsoft,c=US" /G "CN=Mary North,OU=AD LDS users,o=Microsoft,c=US":SD
This command grants the user Mary North the Delete permission on the object CN=AD LDS Testers.
Your screen should contain output similar to the following:
Access list: Effective Permissions on this object are: Allow CN=Mary North,OU=ADAM users,O=Microsoft,C=US SPECIAL ACCESS DELETE Allow CN=Readers,CN=Roles,O=Microsoft,C=US SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow CN=Administrators,CN=Roles,O=Microsoft,C=US FULL CONTROL <Inherited from parent> Permissions inherited to subobjects are: Inherited to all subobjects Allow CN=Readers,CN=Roles,O=Microsoft,C=US SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow CN=Administrators,CN=Roles,O=Microsoft,C=US FULL CONTROL <Inherited from parent> The command completed successfully
Grant permissions with Ldp.exe
Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To grant permissions on a directory object using LDP.exe
Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.
Right-click the directory partition object for which you want to view the permissions, click Advanced, and then click Security Descriptor.
The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object.
Click anywhere in the discretionary access control list (DACL), and then click Add ACE.
In Trustee, type the distinguished name of the trustee (user account) that you are granting the permissions to.
For ACE type, select Allow.
For Access mask, select the appropriate permissions that you want to grant.
Select the appropriate ACE flags.
Select the appropriate Object type.
Select the appropriate Inherited object type, and then click OK.
Deny permissions
You can deny access control in AD LDS on an object-by-object basis by using the following:
Deny permissions with the dsacls command-line tool
Deny permissions with Ldp.exe
Deny permissions with the dsacls command-line tool
Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To deny permissions on a directory object using dsacls
Click Start, right-click Command Prompt, and then click Run as administrator.
At the command prompt, type the following command, and then press ENTER:
dsacls "\\<hostname>:<portnumber>\<object_dn>" /D "<user_or_group>":<PermissionStatement>Parameter Description dsacls
Displays or modifies permissions of AD DS and AD LDS objects.
<hostname>
The name of the computer on which the AD LDS instance that holds the directory object is running.
<portnumber>
The communications port number on which the AD LDS instance communicates.
<object_dn>
The distinguished name of the directory object.
<user_or_group>
The user or group for whom the permissions apply.
<PermissionStatement>
The permissions to deny.
/D
Indicates that specified permissions are being denied to a specified group or user.
For this exercise, type dsacls “\\localhost:389\CN=AD LDS Testers,OU=AD LDS Users,o=microsoft,c=US” /D domain\administrator:SDDCDT
Note
domain\administrator represents the account with which you are currently logged on.
This command denies the Delete, Delete Child, and Delete Tree permissions on the **CN=AD LDS Testers** object for the currently logged on user.
Your screen should contain output similar to the following:
Access list:
Effective Permissions on this object are:
Deny domain\account SPECIAL ACCESS
DELETE
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
FULL CONTROL <Inherited from parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
FULL CONTROL <Inherited from parent>
The command completed successfully
Deny permissions with Ldp.exe
Membership in the AD LDS Administrators group is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.
To deny permissions on a directory object using LDP.exe
Open Ldp.exe, and then connect and bind to an AD LDS instance. For more information about connecting and binding to an AD LDS instance with Ldp.exe, see the procedure "To manage an AD LDS instance using Ldp.exe" in Step 3: Practice Using AD LDS Administration Tools.
Right-click the directory partition object for which you want to view the permissions, click Advanced, and then click Security Descriptor.
The Security Descriptor dialog box displays all ACEs and their assigned access rights over the selected directory partition object.
Click anywhere in the DACL, and then click Add ACE.
In Trustee, type the distinguished name of the trustee (user account) that you are denying the permissions for.
For ACE type, click Deny.
For Access mask, select the appropriate permissions that you want to deny.
Select the appropriate ACE flags.
Select the appropriate Object type.
Select the appropriate Inherited object type, and then click OK.