Modify the Service Account Used by an AD LDS Instance

Applies To: Windows Server 2008

You can use the Dsbutil general Active Directory Lightweight Directory Services (AD LDS) management tool to modify service accounts that are used by the AD LDS instances that are installed on your computer.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To modify the service account used by an AD LDS instance

  1. Open a Command Prompt. To open the command prompt, click Start, click Run, and then type cmd.

  2. At the command prompt, type the following command, and then press ENTER:

    net stop <instancename>

    Where <instancename> represents the service name of the AD LDS instance for which you want to change the service account.

  3. At the command prompt, type the following command, and then press ENTER:

    dsdbutil

  4. At the dsdbutil: prompt, type the following command, and then press ENTER:

    activate instance <instancename>

    Where <instancename> represents the service name of the AD LDS instance for which you want to change the service account.

  5. At the dsdbutil: prompt, type the following command, and then press ENTER:

    change service account <accountname> <password>

    Where <accountname> <password> represents the account name and password of the account to be used as the AD LDS service account.

  6. To exit dsdbutil, at the dsdbutil: prompt, type the following command, and then press ENTER:

    quit

  7. To restart the AD LDS instance, at the command prompt, type the following command, and then press ENTER:

    net start <instancename>

Additional considerations

  • When you specify a workstation or domain user account as the service account, the specified account must possess the Log on as a service right. For more information about how to assign the Log on as a service right to an account, see Add the Log on as a service right to an account.

  • The service account that you select must have permission to read and write the AD LDS data and log files in %ProgramFiles%\Microsoft ADAM\instancename.

  • The service account that you have selected may depend on whether the AD LDS instance participates in a configuration set. It may also depend on the replication security level. For more information, see Administering AD LDS Replication, Sites, and Configuration Sets.