AD LDS: Add an administrator to the ISAM metadata directory partition

After adding an ISAM schema to the Active Directory Lightweight Directory Service (AD LDS) instance and specified the ISAM metadata directory location, add an AD LDS user administrator for the ISAM metadata directory partition. The AD LDS user has administrative authority for the ISAM metadata directory partition and is specified as the LDAP administrator during Security Verify Access configuration. The following example assumes that you accepted the default management domain and location. If we specified a different domain name or location, add the AD LDS user administrator to the AD LDS partition specified.

Steps

1. Create the AD LDS LDAP administrator:
   1. Start the ADSI Edit program (Adsiedit.msc).

   2. On the Action menu, click Connect To

   3. In the Connection name field, we can type a label under which this connection appears in the console tree of AD LDS ADSI Edit. For this connection, type: secAuthority.

   4. Under Connection Point, enter secAuthority=Default in the Select or type a Distinguished Name or Naming Context section. If we use a different directory partition, select that partition. This example assumes the default partition.

   5. Under Computer, enter the server name and port for the AD LDS instance in the Select or type a domain or server section. If the AD LDS instance is on the local system, we can use localhost as the server name.

   6. Click OK. The term, secAuthority, must now appear in the console tree.

2. Select user attributes:
   1. Expand the secAuthority tree by double-clicking secAuthority and then double-click SECAUTHORITY=DEFAULT.

   2. Highlight and right-click the SECAUTHORITY=DEFAULT container, point to New, and then click Object…

   3. Under Select a class, click user.

   4. Click Next.

   5. For the value of the cn attribute, type the common name for the administrator we want to create. For example, type tam.

   6. Click Next.

   7. Click More Attributes.

   8. Select and set the following properties:

      msDS-UserDontExpirePassword

      Set to True to prevent the default password expiration time policy from applying to this administrator. To have password policy apply to this administrator, leave property unset.

      msDS-UserAccountDisabled

      Set to False to enable the instance that we created.

   9. Click OK.

   10. No additional attributes are required but if we want to set more attributes, click More Attributes, select the attributes to set and enter the values. When we are finished, click Finish. The user is created with a Distinguished Name (DN) of...
       cn=tam,secAuthority=Default

   11. To set the administrator password, highlight and then right-click the user that we created. Select Reset password…

   12. In the "Reset Password" pane, enter and confirm the password to use. When finished, click OK. Remember the user DN and password that we create because these details are specified as the LDAP Administrator DN and password when Security Verify Access is configured.

3. Add the user to the Administrators group for the partition:
   1. Within the SECAUTHORITY=DEFAULT directory partition, three containers are called CN=LostAndFound, CN=NTDSQuotas, and CN=Roles.

      1. Highlight the CN=Roles container by single clicking it. In the details pane on the right side of the AD LDS ADSI Edit tool, the groups within the Roles container are displayed.

      2. Highlight the CN=Administrators group by clicking it.
      3. Right-click on the CN=Administrators group and select Properties. The CN=Administrators Properties page is displayed.

   2. Under Attributes, scroll down and select the member attribute.

   3. Click Edit.

   4. Click Add DN. Type the distinguished name of the administrator user that we created into the DN field.

   5. Click OK. The administrator user is added to the Administrators group and is displayed as a member.

   6. Click OK to complete the membership update. Click OK.

Parent topic: Microsoft Active Directory Lightweight Directory Service (AD LDS) installation