Step 7: Authorize Appropriate Access to the ADS LDS Namespace Object

Applies To: Windows Server 2008

Authorization refers to the process of determining which users have access to which directory objects. In AD LDS, access control lists (ACLs) on each directory object determine which users have access to that object. By default, in AD LDS, only ACLs reside in the top-level object of each directory partition. All objects in a given directory partition inherit these ACLs.

For more information about ACLs, see Access Control Lists ( on the Microsoft Web site.

To connect to the Configuration partition

  1. Open an elevated command prompt. (Click Start, right-click Command Prompt, and then click Run as administrator.)

  2. Navigate to the C:\WINDOWS\ADAM directory, and then run the dsacls command to grant the Everyone group read access to the mapping data store as follows:

    dsacls "\\server1:389\CN=nfsadldsinstance,dc=server1" /G everyone:GR /I:T

  3. Optionally, if you are setting up a shared AD LDS store is set to allow multiple NFS servers to query the account mapping database, add the mapping data store to the ACL to allow Read permissions for the Anonymous Logon account as follows:

    dsacls "\\server1:389\CN=nfsadldsinstance,dc=server1" /G "anonymous logon":GR /I:T


You can skip this step if there is no shared access between computers to the mapping data store.