Understanding Authorization Manager Stores

Applies To: Windows Server 2008


Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

With Authorization Manager, you can provide authorization services to administrators that you support by creating Authorization Manager applications that access authorization stores.

In Authorization Manager, there is neither a default authorization store nor a default application. To create an authorization store, you must work in the Authorization Manager developer mode. For more information about working in developer mode, see Set Authorization Manager Options.

You can store authorization stores in either XML files, Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), or in Microsoft SQL Server.

The following table compares the different authorization store types.

Authorization store type Delegation support Authorization store is specified by Requirements


Supported at the authorization store, application, and scope levels

A URL, beginning with the protocol prefix MSLDAP:// or an LDAP distinguished name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com)

Domain functional level must be Windows Server 2003 or higher.

Note that In Windows 2000, Active Directory does not support authorization stores.


Not supported

The XML file is secured as a whole by its NTFS file system access control entries (ACEs).

A URL beginning with the protocol prefix MSXML:// or a Path (for example, C:\Temp\MyStore.xml or \\ServerName\ShareName\MyStore.xml)

Any NTFS partition

SQL Server

Supported at the authorization store, application and scope levels

A URL beginning with the protocol prefix MSSQL:// followed by a connection string, database name and policy store name, in the format: MSSQL://<connection string>/<database name>/<policy store name>

Microsoft SQL Server 2000 or newer.

An application is specific to an authorization store, and it is always located directly under its parent authorization store in Authorization Manager. For more information, see Create an Authorization Manager Application.

Scopes, roles, tasks, and operations are always specific to an application. For more information, see Understanding Authorization Manager Scopes and Understanding Authorization Manager Role, Task, and Operation Definitions.

Using application groups

An application group is a group of users of an Authorization Manager application. You can create application groups at any of the three levels in the Authorization Manager console. The following table lists the different Authorization Manager levels where you can create application groups.

Level Application group can be used in

Authorization store

The authorization store, and applications and scopes underneath it


The application and scopes underneath it


The scope

For more information about application groups see Understanding Authorization Manager Application Groups.

Delegating authorization stores and applications

Authorization stores that are stored in AD DS, AD LDS or SQL server support delegation. This means that you can authorize other people to administer those authorization stores, or applications contained in those authorization stores.

For more information about performing delegation, see Allow Other Users to Administer an Authorization Store.