You can govern access control in Active Directory Lightweight Directory Services (AD LDS) at the directory partition level by assigning user memberships to the role-based groups that are located on each partition. You can also customize access control in AD LDS on an object-by-object basis using the dsacls command-line tool.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.

To view or set permissions on a directory object
  1. Open a command prompt.

  2. At the command prompt, do one of the following:

    • To list the effective permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\hostname:portnumber\object_dn

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      Example:

      dsacls \\localhost:389\O=Microsoft,C=US

    • To grant permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\hostname:portnumber\object_dn /G user_or_group:Permissions

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      user_or_group

      The user or group for whom the permissions apply.

      Permissions

      The permissions to grant.

      Example:

      dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /G "CN=inetuser1,O=Microsoft,C=US":SD

    • To deny permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\hostname:portnumber\object_dn /D user_or_group:PermissionStatement

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      user_or_group

      The user or group for whom the permissions apply.

      PermissionStatement

      The permissions to deny.

      Example:

      dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /D "CN=inetuser1,O=Microsoft,C=US":SD

Additional considerations

  • To open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

  • For a complete description of all the parameters that apply to dsacls, including the setting of inheritance, type dsacls /? at the command prompt.

  • A directory object that resides on multiple replicas of a given directory partition possesses the same permissions on all the replica partitions.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell™. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see View or Set Permissions on a Directory Object (http://go.microsoft.com/fwlink/?LinkId=137814). For more information about Windows PowerShell, see Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

Additional references