Before you can use Authorization Manager to control access to resources, you must create an authorization store.
Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.
|To create an authorization store|
Open Authorization Manager.
If necessary, switch to developer mode by changing the Authorization Manager options.
In the console tree, right-click Authorization Manager, and then click New Authorization Store.
In the New Authorization Store dialog box, click Active Directory, XML file, or Microsoft SQL.
In Store name, type the authorization store name or click Locations to find the authorization store. You cannot use Locations to browse for a computer running Microsoft SQL Server. You must know the location you want to use to create a store in SQL Server.
(Optional) In Description, type a description for the new authorization store.
- To perform this procedure, you must be
working in developer mode.
- To create an authorization store that is
stored in Active Directory Domain Services (AD DS), use the
Lightweight Directory Access Protocol (LDAP) name (for example,
CN=myStore,CN=Program Data,DN=nwtraders,DN=com). A store may
be created in an AD DS partition or in an Active Directory
Lightweight Directory Services (AD LDS) partition. AD LDS was
formerly known as Active Directory/Application Mode (ADAM).
- Any user or group who is assigned to the
Policy Administrator, Policy Reader, or Policy
Delegated User role at any level (store, application, or scope)
for an Authorization Manager store that is stored in an AD LDS
partition must also be added to the AD LDS Reader role of
that AD LDS partition.
- To create an XML-based authorization store,
use a path and file name that is valid at run time (for example,
- To create an SQL-based authorization store,
use a URL beginning with the protocol prefix MSSQL://. See
"Additional references" for details on how to format an SQL
connection string as a URL.
- By default, members of the local
Administrators group have sufficient rights and privileges
to complete this task. In your environment, security may be managed
so that non-administrators have additional rights.
- If User Account Control is enabled, it can be
configured to allow non-administrators to enter the credentials of
an administrator to complete administrative tasks without being a
member of the Administrators group.
- If the store is being created on another
computer, you must ensure that you have sufficient permissions to
access and create the appropriate type of resources on that other