Access control in Active Directory Lightweight Directory Services (AD LDS) consists of two parts. First, AD LDS authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory. Second, AD LDS uses security descriptors, called access control lists (ACLs), on directory objects to determine to which objects an authenticated user has access.

Users, or security principals, request directory data from AD LDS through directory-enabled applications, which in turn make requests to AD LDS using Lightweight Directory Access Protocol (LDAP). Before making a request for data, the directory-enabled application must present the user's credentials to AD LDS for authentication, or binding. This request includes a user name, password, and—depending on the type of bind—a domain name or computer name.

AD LDS can accept authentication, or bind, requests from both AD LDS security principals and Windows (local and domain) security principals. AD LDS security principals are authenticated directly by AD LDS. Local Windows security principals are authenticated by the local computer. Domain security principals must be authenticated by an Active Directory Domain Services (AD DS) domain controller.