Active Directory Lightweight Directory Services (AD LDS) relies on users and groups to provide and control access to directory data. AD LDS supports the simultaneous use of both Windows users and AD LDS users. AD LDS provides four default, role-based groups. You can create additional AD LDS groups as necessary. Both Windows users and AD LDS users can be members of AD LDS groups. To create AD LDS users in AD LDS, you must first import the user object class definitions that are provided with AD LDS, or you can supply your own user object class definitions.

AD LDS provides four default, role-based groups: Administrators, Instances, Readers, and Users. These groups reside in the configuration partition and in each application partition, but not in the schema partition. Within a configuration set, AD LDS replicates these groups, along with all other directory data.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.

To add or remove members to or from an AD LDS group
  1. Open ADSI Edit.

  2. Connect and bind to the AD LDS instance containing the group that you want to modify. For more information, see Use ADSI Edit to Manage an AD LDS Instance.

  3. In the console tree, double-click the directory partition containing the group that you want to modify.

  4. Right-click the group that you want to modify, and then click Properties.

  5. In Attributes, click Member, and then click Edit.

  6. For each AD LDS security principal that you want to add to the group, click Add DN, type the distinguished name of the new member, and then click OK.

  7. For each Windows security principal that you want to add to the group, click Add Windows account, type the account name of the new member, and then click OK.

  8. For each group member that you want to remove from the group, click the member that you want to remove, and then click Remove.

  9. After making the changes that you want to the group, click OK twice.

Note

In AD LDS it is possible for an AD LDS administrator, or for a user with sufficient access to the Administrators group, to remove member accounts from the AD LDS Administrators group, possibly leaving AD LDS without any valid administrators. To recover from this scenario, the assigned AD LDS administrator, as the owner of the Administrators group, can repopulate the AD LDS Administrators group with the appropriate accounts.

Additional considerations

  • To open ADSI Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Add or Remove Members to or from an AD LDS Group (http://go.microsoft.com/fwlink/?LinkId=137812). For more information about Windows PowerShell, see Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

Additional references