You can administer users and groups in Active Directory Lightweight Directory Services (AD LDS) through the ADSI Edit snap-in or through your directory-enabled applications. For information about users and groups in AD LDS, see Understanding AD LDS Users and Groups.

To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%\adam on the computer where AD LDS is installed.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.

To add an AD LDS user to the directory
  1. Open ADSI Edit.

  2. Connect and bind to the AD LDS instance and directory partition to which you want to add a user. For more information, see Use ADSI Edit to Manage an AD LDS Instance.

  3. In the console tree, double-click the directory partition to which you want to add the user.

  4. In the console tree, right-click the container to which you want to add the user, point to New, and then click Object.

  5. In Select a class, click the class that you want to use (user, inetOrgPerson, person, or OrganizationalPerson), and then click Next.

  6. In Value, type a value for the common name (CN) attribute of the new user, and then click Next.

  7. If you want to set values for additional attributes, click More attributes.

  8. After setting any additional attributes for the new user, click Finish.

Additional considerations

  • To open ADSI Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

  • By default, an AD LDS user account is enabled when the user account is created. However, no initial password is set on an AD LDS user account that is created with ADSI Edit. On AD LDS instances running on Windows Server 2008 R2, where local or domain password policy restrictions are in effect, the AD LDS user account is disabled by default. Before you can enable the user account, you must set a password for it that meets the password policy restrictions that are in effect.

  • Any object class can be used as a security principal in AD LDS, if the object class definition contains the SecurityPrincipal static auxiliary class and the unicodePwd attribute.

  • The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Add an AD LDS User to the Directory (http://go.microsoft.com/fwlink/?LinkId=137802). For more information about Windows PowerShell, see Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

Additional references