In Windows Server 2008, several new features were introduced in Authorization Manager. These include:
- Authorization Manager stores can be stored in
Microsoft SQL Server databases, Active Directory Domain Services
(AD DS), Active Directory Lightweight Directory Services
(AD LDS), or XML files. For more information, see Connect to an SQL-based
Authorization Store.
- Support for business rule groups (groups
whose membership is determined at run time by a script) is
available. For more information, see Create an Application
Group within an Authorization Store.
- Support is available for custom object
pickers, so that application administrators can use Authorization
Manager for applications that use AD LDS or SQL user accounts. For
more information about using a custom object picker, see Choose Users or Groups
with a Custom Object Picker.
Many additional improvements and changes were made to Authorization Manager. Some of these are:
- Improvements were made to the Authorization
Manager application programming interface (API), including
optimization of common functions and the introduction of simpler,
faster versions of commonly used methods, such as AccessCheck.
- LDAP queries are not limited to only user
objects.
- Additional events are recorded in the log if
auditing is active.
- The use of business rules and authorization
rules is controlled by a registry setting. In Windows
Server 2008 R2 and Windows Server 2008, rules are
disabled by default. In earlier versions of Windows, rules were
enabled by default.