You can govern access control in Active Directory Lightweight Directory Services (AD LDS) at the directory partition level by assigning user memberships to the role-based groups that are located on each partition. You can also customize access control in AD LDS on an object-by-object basis using the dsacls command-line tool.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.
To view or set permissions on a directory object |
-
Open a command prompt.
-
At the command prompt, do one of the following:
- To list the effective permissions on a
directory object, type the following command, and then press
ENTER:
dsacls \\hostname:portnumber\object_dn
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
dsacls \\localhost:389\O=Microsoft,C=US
- To grant permissions on a directory object,
type the following command, and then press ENTER:
dsacls \\hostname:portnumber\object_dn /G user_or_group:Permissions
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
user_or_group
The user or group for whom the permissions apply.
Permissions
The permissions to grant.
dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /G "CN=inetuser1,O=Microsoft,C=US":SD
- To deny permissions on a directory object,
type the following command, and then press ENTER:
dsacls \\hostname:portnumber\object_dn /D user_or_group:PermissionStatement
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
user_or_group
The user or group for whom the permissions apply.
PermissionStatement
The permissions to deny.
dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /D "CN=inetuser1,O=Microsoft,C=US":SD
- To list the effective permissions on a
directory object, type the following command, and then press
ENTER:
Additional considerations
- To open a command prompt, click Start,
right-click Command Prompt, and then click Run as
administrator.
- For a complete description of all the
parameters that apply to dsacls, including the setting of
inheritance, type dsacls /? at the command prompt.
- A directory object that resides on multiple
replicas of a given directory partition possesses the same
permissions on all the replica partitions.
- You can also perform the task in this
procedure by using the Active Directory module for
Windows PowerShell™. To open the Active Directory module,
click Start, click Administrative Tools, and then
click Active Directory Module for Windows PowerShell. For
more information, see View or Set Permissions on a Directory Object
(http://go.microsoft.com/fwlink/?LinkId=137814).
For more information about Windows PowerShell, see
Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).