Allow Other Users to Administer an Authorization Store

You may want to allow additional people to manage your authorization store without granting them additional rights in the operating system. To do so, use the following procedure.

You must be assigned to the Authorization Manager Administrator user role to complete this procedure. By default, Administrators is the minimum Windows group membership assigned to this role. Review the details in "Additional considerations" in this topic.

Allow other users to administer an authorization store

1. If necessary, open Authorization Manager.

2. If necessary, create or open an authorization store.

3. In the console tree, right-click the authorization store, and then click Properties.

4. In the Properties dialog box, click the Security tab.

5. Under Authorization Manager user role, click Administrator.

6. Under Users and groups that are assigned to this role, click Add or Remove to add or remove users and groups to which you want to assign the Administrator role.

Additional considerations

• To perform this procedure, you need to have access to an authorization store. By default, members of the Administrators group have the required access, but Authorization Manager allows you to delegate responsibility. For more information, see "Additional references" in this topic.
  
  
• Any user or group who is assigned to the Policy Administrator, Policy Reader, or Policy Delegated User role at any level (store, application, or scope) for an Authorization Manager store that is stored in an Active Directory Lightweight Directory Services (AD LDS) partition must also be added to the AD LDS Reader role of that AD LDS partition. AD LDS was formerly known as Active Directory/Application Mode (ADAM).
  
  

Additional references

• <Store Name> Property Sheet: Security Tab
  
  
• Understanding Authorization Manager Stores
  
  
• Understanding Authorization Manager Applications
  
  
• Start Authorization Manager