Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users

  • Article

Applies To: Windows Server 2008

Most often, you use Active Directory Lightweight Directory Services (AD LDS) to store information about users, organizations, and the groups that they belong to. Tasks for managing AD LDS organizational units (OUs), groups, and users include the following:

  • Create an OU

  • Create an AD LDS group

  • Create an AD LDS user

  • Add or remove members to or from an AD LDS group

  • Disable or enable AD LDS user accounts

Create an OU

To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol (LDAP)–based directories, OUs are most commonly used for keeping users and groups organized.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To create an OU

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

    For this exercise, connect and bind to the o=Microsoft,c=US application directory partition, as described in the procedure "To manage an AD LDS instance using ADSI Edit" in Step 3: Practice Using AD LDS Administration Tools.

  3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to which you want to add the OU, point to New, and then click Object.

  4. In Select a class, click organizationalUnit, and then click Next.

  5. In Value, type a name for the new OU, and then click Next.

    For this exercise, type AD LDS Users in the Value box.

  6. If you want to set values for additional attributes, click More attributes.

    For this exercise, simply click Finish.

Create an AD LDS group

You can administer users and groups in AD LDS through the ADSI Edit snap-in or through your directory-enabled applications. To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%\ADAM on the computer where AD LDS is installed. For more information, see procedure "To create a new AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard" in Step 2: Practice Working with AD LDS Instances.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To create an AD LDS group

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

    For this exercise, connect and bind to the o=Microsoft,c=US application directory partition, as described in the procedure "To manage an AD LDS instance using ADSI Edit" in Step 3: Practice Using AD LDS Administration Tools.

  3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click OU=AD LDS Users, point to New, and then click Object.

  4. In Select a class, click group, and then click Next.

  5. In Value, type a common name (CN) for the new group, and then click Next.

    For this exercise, type AD LDS Testers in the Value box.

Note

By default, the groupType attribute is set to 0x80000002 hexadecimal, representing an account group. If you want to change it, click More attributes. In Select which properties to view, select Both (Mandatory and Optional). In the Select a property to view drop-down menu, select groupType, and edit it according to your design by typing in its value in the Edit Attribute field.

  1. If you want to set values for additional attributes, click More attributes.

  2. After you set all the desired attributes for the new group, click Finish.

Create an AD LDS user

You can administer users and groups in AD LDS with the ADSI Edit snap-in or with your directory-enabled applications. To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%\ADAM on the computer where AD LDS is installed. For more information, see the procedure "To create a new AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard" in Step 2: Practice Working with AD LDS Instances.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To create an AD LDS user

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

    For this exercise, connect and bind to the o=Microsoft,c=US application directory partition, as described in the procedure "To manage an AD LDS instance using ADSI Edit" in Step 3: Practice Using AD LDS Administration Tools.

  3. In the console tree, right-click OU=AD LDS Users, point to New, and then click Object.

  4. In Select a class, click the class that you want to use (user, inetOrgPerson, person, or OrganizationalPerson), and then click Next.

  5. In Value, type a value for the common name (CN) attribute of the new user, and then click Next.

    For this exercise, type Mary North as the CN for the new user.

  6. If you want to set values for additional attributes, click More attributes.

  7. After setting any additional attributes for the new user, click Finish.

Note

If an AD LDS user is created with a blank password, this user account is automatically disabled. For the purposes of successfully performing the rest of the exercises in this guide, follow the steps in the procedure "To disable or enable an AD LDS user" later in this topic to enable the CN=Mary North,OU=AD LDS Users,O=Microsoft,C=US user account that you just created.

Add or remove members to or from an AD LDS group

AD LDS relies on users and groups to provide and control access to directory data. AD LDS supports the simultaneous use of both Windows users and AD LDS users. Both Windows users and AD LDS users can be members of AD LDS groups.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To add or remove members to or from an AD LDS group

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

    For this exercise, connect and bind to the o=Microsoft,c=US application directory partition, as described in the procedure "To manage an AD LDS instance using ADSI Edit" in Step 3: Practice Using AD LDS Administration Tools.

  3. In the console tree, double-click the directory partition containing the group that you want to modify.

  4. Right-click the group that you want to modify, and then click Properties.

    For this exercise, select CN=AD LDS Testers.

  5. In Attributes, click member, and then click Edit.

  6. In the Multi-valued Distinguished Name With Security Principal Editor, for each AD LDS security principal that you want to add to the group, click Add DN, type the distinguished name of the new member, and then click OK.

    For this exercise, type CN=Mary North,OU=AD LDS Users,o=Microsoft,c=US.

  7. In the Multi-valued Distinguished Name With Security Principal Editor, for each Windows security principal that you want to add to the group, click Add Windows account, type the account name of the new member, and then click OK.

  8. In the Multi-valued Distinguished Name With Security Principal Editor, for each group member that you want to remove from the group, click the member that you want to remove, and then click Remove.

  9. After making the changes that you want to the group, click OK twice.

Disable or enable AD LDS user accounts

When you disable and enable an AD LDS user, you control whether that user can bind to the AD LDS directory. You use the ADSI Edit snap-in to disable and enable AD LDS users.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To disable or enable an AD LDS user

  1. Open ADSI Edit.

  2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

    For this exercise, connect and bind to the o=Microsoft,c=US application directory partition, as described in the procedure "To manage an AD LDS instance using ADSI Edit" in Step 3: Practice Using AD LDS Administration Tools.

  3. Browse to the AD LDS user that you want to disable or enable, right-click that user, and then click Properties.

    For this exercise, select CN=Mary North.

  4. In Attributes, click msDS-UserAccountDisabled, and then click Edit.

  5. In Boolean Attribute Editor, do one of the following, and then click OK:

    • To disable the AD LDS user, click True.

    • To enable the AD LDS user, click either False or Not set.