Understanding Authorization Manager Application Groups

Applies To: Windows Server 2008

Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

In Authorization Manager, recipients of authorization policy are represented by the following different kinds of groups:

  • Windows users and groups. These groups include users, computers, and built-in groups for security principals. Windows users and groups are used throughout Windows, not only in Authorization Manager.

  • Application groups. These groups include basic application groups and Lightweight Directory Access Protocol, (also known as LDAP) query groups. Application groups are specific to Authorization Manager role-based administration.

An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

  • LDAP query groups. Membership in these groups is dynamically calculated as needed from LDAP queries. An LDAP query group is a type of application group.

  • Basic application groups. These groups are defined in terms of LDAP query groups, Windows users and groups, and other basic application groups. A basic application group is a type of application group.

  • Business rule application groups. These groups are defined by a script written in either VBScript or JScript, and result in group membership being determined dynamically at run time according to criteria you define.

For more information about groups in Active Directory Domain Services (AD DS) at the Microsoft Web site, see Technical reference (http://go.microsoft.com/fwlink/?LinkId=64287). For more information about security principals that are not stored in Active Directory, at the Microsoft Web site, see the Technical reference about Local Users and Groups (http://go.microsoft.com/fwlink/?LinkId=64287).

When you create a new application group, you need to determine whether you want it to be an LDAP query group or a basic application group. For Authorization Manager role-based applications, any authorization you can do with Windows users and groups can also be done with application groups.

Circular membership definitions are not allowed, and result in the error message "Cannot add <Group name>. The following problem occurred: A loop has been detected."

In Authorization Manager, you can use LDAP queries to find objects in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS) and other LDAP compliant directories.

You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

Beginning in this version of Windows, Authorization Manager supports two types of LDAP queries that can be used to define an LDAP query group: Authorization Manager version 1-style queries and LDAP URL queries

  • Authorization Manager Version 1-style LDAP queries

    Version 1-style LDAP queries provide limited support for the LDAP URL query syntax described in RFC 2255. These queries are limited to querying the attribute list of the user object specified in the current client context.

    For example, the following query finds everyone except Andy:


    This query evaluates if the client is a member of the ProjectStatus alias at northwindtraders.com:

    (memberOf=CN=ProjectStatus,OU=Distribution Lists,DC=northwindtraders,DC=com)

    Authorization Manager continues to support version 1-style queries so that solutions developed using earlier versions of Authorization Manager can be upgraded with less effort.

  • LDAP URL queries

    In order to remove limitations on objects and attributes that can be searched, Authorization Manager supports an LDAP URL query syntax based on RFC 2255. This allows you to create LDAP query groups that use directory objects other than the current user object as the root of the search.

    An LDAP URL begins with the protocol prefix "ldap" and follows this format:

Distinguished name is also known as DN.


Specifically, the following syntax is supported:

       ldapurl    = scheme "://" [hostport] ["/"                    [dn ["?" [attributes] ["?" [scope]                    ["?" [filter]]]]]]       scheme     = "ldap"       attributes = attrdesc *("," attrdesc)       scope      = "base" / "one" / "sub"       dn         = distinguishedName        hostport   = hostport        attrdesc   = AttributeDescription        filter     = filter 

For example, the following query returns users whose company attribute is set to "FabCo," from the LDAP server running on port 389 on a host named "fabserver":


When using an LDAP URL query, you can use the special placeholder value %AZ_CLIENT_DN%. This placeholder is replaced with the distinguished name (DN) of the client making the access check. This allows you to construct queries that return objects from the directory based on their relationship to the DN of the client making the request.

In this example, the LDAP query tests whether the user is a member of the "Customers" organizational unit (OU):

ldap://server:<port>/OU=Customers,DC=FABCO-PN,DC=com?(objectclass=*)?sub?(& (objectClass=user)(objectCategory=user) (distinguishedName= %AZ_CLIENT_DN% ))

In this example, the LDAP query tests whether the user is a direct report of a Manager named "SomeManager" and that the "searchattribute" of SomeManager is equal to the particular value "searchvalue":

ldap://server:port/Cn=SomeManager,OU=Users,DC=FABCO-PN,DC=com?(objectclass=*)?base?(&(searchattribute= searchvalue) (directreports = %AZ_CLIENT_DN%))

For more information about the syntax of an LDAP URL query, search for LDAP query syntax at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=65975), or refer to the text of RFC 2255 (http://go.microsoft.com/fwlink/?linkid=65973).

If the LDAP query starts with "ldap," it is treated as an LDAP URL query. If it starts with anything else, it is treated as a version 1-style query.

Basic application groups are specific to Authorization Manager.

To define basic application group membership, you need to:

  1. Define who is a member.

  2. Define who is not a member.

Both of these steps are carried out in the same way:

  • First, you specify zero or more Windows users and groups, previously defined basic application groups, or LDAP query groups.

  • Second, the membership of the basic application group is calculated by removing any nonmembers from the group. Authorization Manager does this automatically at run time.

Non-membership in a basic application group takes precedence over membership.

Business rule application groups are specific to Authorization Manager.

To define business rule application group membership, you must write a script in either VBScript or JScript. The script source code is loaded from a text file on the Properties page of the business rule application group.

Community Additions