Administering users and groups
Applies To: Windows Server 2003 R2
Administering users and groups
You can administer users and groups in Active Directory Application Mode (ADAM) through the ADAM ADSI Edit snap-in or through your directory-enabled applications. For information about how to perform tasks related to users and groups in ADAM, see Manage Users and Groups.
ADAM users
To create users in ADAM, you must first import the optional user classes that are provided with ADAM into the ADAM schema. These user classes are provided in importable .ldf files (ms-User.ldf, ms-InetOrgPerson.ldf, ms-UserProxy.ldf), which you can find in the directory %windir%\adam on the computer where ADAM is installed. The following table describes the contents of each of the optional .ldf files.
| .ldf file | User classes | Import this file if ... |
|---|---|---|
ms-user.ldf |
|
You want to create user objects in the ADAM directory, but you do not want to create users of the inetOrgPerson class (as defined in RFC 2798). |
ms-inetorgperson.ldf |
|
You want to create user objects in the ADAM directory, and you want to create users of the inetOrgPerson class (as defined in RFC 2798). |
ms-userproxy.ldf |
|
You want to create proxy objects in ADAM for use in bind redirection. For more information about proxy objects and bind redirection, see Understanding ADAM bind redirection. |
For information about the schema definitions for each of the user object classes, see "Active Directory Schema" on the Microsoft MSDN Web site.
For more information about importing user classes, see Import the user classes supplied with ADAM. For information about creating ADAM users, see Add an ADAM user to the directory.
You can also disable ADAM users. For more information about disabling ADAM users, see Disable or enable an ADAM user.
Setting and modifying passwords
You can set and modify passwords for ADAM security principals over Secure Sockets Layer (SSL) connections (using Ldp.exe) or over encrypted, non-SSL connections (using ADAM ADSI Edit or Ldp.exe). To establish an SSL connection to ADAM, you must install certificates on the computer running ADAM and on all the clients. For more information about certificates, see Administering an ADAM instance. To make SSL connections to an ADAM instance, you must use Ldp.exe; ADAM ADSI Edit does not support SSL connections.
For information about setting and modifying passwords, see Set or modify the password of an ADAM user.
Note
On computers running Windows XP Professional that need to establish SSL connections to an ADAM instance, you must install the hotfix described in article 817583 in the Microsoft Knowledge Base.
By default, an ADAM instance running on Windows Server 2003 automatically enforces any local or domain password policies that exist. If you create a new ADAM user, and if you assign a password to that user that does not meet the requirements of the password policy that is in effect, the user will be disabled.
Password policy settings and account lockouts
When ADAM runs on a computer running Windows Server 2003, it supports and enforces the password policy settings and account lockout settings that are provided by Windows Server 2003, including the following:
Minimum age
Maximum age
Complexity
History
Too many failed logon attempts
Disabling and enabling of accounts
If the server on which ADAM is running belongs to a workgroup, the server's local password policy settings and account lockout settings are implemented. If the server on which ADAM is running belongs to a domain, the password policy settings and account lockout settings from Active Directory are implemented. Password policy settings are not enforced on ADAM instances that run on a computer running Windows XP Professional.
You can disable the enforcement of password policy settings in ADAM by setting ADAMDisablePasswordPolicies, a value in the attribute msDS-Other-Settings on CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN=GUID, to 1.
For more information about password policy settings and account lockout settings in Windows Server 2003, see Help and Support Center in Windows Server 2003.
ADAM groups
In addition to the four role-based groups that are provided by default in each directory partition in ADAM, you can add your own groups. You can add both ADAM users and Windows users to the ADAM groups that you create.
For more information, see Add an ADAM group to the directory and Add or remove members to or from an ADAM group.
Note
In ADAM, it is possible for an ADAM administrator, or for a user with sufficient access to the Administrators group, to remove member accounts from the ADAM Administrators group, possibly leaving ADAM without any valid administrators. To recover from this scenario, the assigned ADAM administrator, as the owner of the Administrators group, can repopulate the ADAM Administrators group with the appropriate accounts.
Organizing ADAM users and groups with organizational units
To keep your ADAM users and groups organized, you may want to place users and groups in organizational units (OUs). In Active Directory and in ADAM, as well as in other Lightweight Directory Access Protocol (LDAP)-based directories, OUs are the most commonly used method for keeping users and groups organized. For information about creating OUs in ADAM, see Add an organizational unit to the directory.
Note
By default, OUs can only be added under other OU (OU=), country/region (C=), organization (O=), or domain-DNS (DC=) object classes. For example, you can add an OU to O=Microsoft,C=US. You cannot add an OU to CN=test,O=Microsoft,C=US. You can, however, update the schema definition of the OU object class to allow other superiors.