Allow Other Users to Administer an Authorization Store

Applies To: Windows Server 2008


Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

You may want to allow additional people to manage your Authorization Store without granting them additional rights in the operating system. To do so, use the following procedure.

You must be assigned to the Authorization Manager Administrator user role to complete this procedure. By default, Administrators is the minimum Windows group membership assigned to this role. Review the details in "Additional considerations" in this topic.

Allow other users to administer an authorization store

  1. If necessary, open Authorization Manager.

  2. If necessary, create or open an authorization store.

  3. In the console tree, right-click the authorization store, and then click Properties.

  4. In the Properties dialog box, click the Security tab.

  5. Under Authorization Manager user role, click Administrator.

  6. Under Users and groups that are assigned to this role, click Add or Remove to add or remove users and groups to which you want to assign the Administrator role.

Additional considerations

  • To perform this procedure, you need to have access to an authorization store. By default, members of the Administrators group have the required access, but Authorization manager allows you to delegate responsibility. For more information, see "Additional references" in this topic.

  • Any user or group who is assigned to the Policy Administrator, Policy Reader, or Policy Delegated User role at any level (store, application, or scope) for an Authorization Manager store that is stored in an Active Directory Lightweight Directory Services (AD LDS) partition must also be added to the AD LDS Reader role of that AD LDS partition. AD LDS was formerly known as Active Directory/Application Mode (ADAM).

Additional references