Access control in Active Directory Lightweight Directory Services (AD LDS) consists of two parts. First, AD LDS authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory. Second, AD LDS uses security descriptors, called access control lists (ACLs), on directory objects to determine to which objects an authenticated user has access.
Users, or security principals, request directory data from AD LDS through directory-enabled applications, which in turn make requests to AD LDS using Lightweight Directory Access Protocol (LDAP). Before making a request for data, the directory-enabled application must present the user's credentials to AD LDS for authentication, or binding. This request includes a user name, password, and—depending on the type of bind—a domain name or computer name.
AD LDS can accept authentication, or bind, requests from both AD LDS security principals and Windows (local and domain) security principals. AD LDS security principals are authenticated directly by AD LDS. Local Windows security principals are authenticated by the local computer. Domain security principals must be authenticated by an Active Directory Domain Services (AD DS) domain controller.
- Understanding AD LDS
Users and Groups
- Import the User Classes
That Are Supplied with AD LDS
- Synchronize with Active
Directory Domain Services
- Add an AD LDS User to
the Directory
- Add an AD LDS Group to
the Directory
- Add or Remove Members to
or from an AD LDS Group
- View or Set Permissions
on a Directory Object
- Disable or Enable an AD
LDS User
- Set or Modify the
Password of an AD LDS User
- Add an Organizational
Unit to the Directory