Add or Remove Members to or from an AD LDS Group

  • Article

Applies To: Windows Server 2008

Active Directory Lightweight Directory Services (AD LDS) relies on users and groups to provide and control access to directory data. AD LDS supports the simultaneous use of both Windows users and AD LDS users. AD LDS provides four default, role-based groups: Administrators, Instances, Readers, and Users. You can create additional AD LDS groups as necessary. Both Windows users and AD LDS users can be members of AD LDS groups.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To add or remove members to or from an AD LDS group

  1. To open Active Directory Service Interfaces (ADSI) Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the AD LDS instance that contains the group that you want to modify. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  3. In the console tree, double-click the directory partition containing the group that you want to modify.

  4. Right-click the group that you want to modify, and then click Properties.

  5. In Attributes, click Member, and then click Edit.

  6. For each AD LDS security principal that you want to add to the group, click Add DN, type the distinguished name of the new member, and then click OK.

  7. For each Windows security principal that you want to add to the group, click Add Windows account, type the account name of the new member, and then click OK.

  8. For each group member that you want to remove from the group, click the member that you want to remove, and then click Remove.

  9. After making the changes that you want to the group, click OK twice.

Note

In AD LDS it is possible for an AD LDS administrator, or for a user with sufficient access to the Administrators group, to remove member accounts from the AD LDS Administrators group, possibly leaving AD LDS without any valid administrators. To recover from this scenario, the assigned AD LDS administrator, as the owner of the Administrators group, can repopulate the AD LDS Administrators group with the appropriate accounts.