Create an Authorization Store

Applies To: Windows Server 2008

Before you can use Authorization Manager to control access to resources, you must create an authorization store.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To create an authorization store

  1. Open Authorization Manager.

  2. If necessary, switch to developer mode by changing the Authorization Manager options.

  3. In the console tree, right-click Authorization Manager, and then click New Authorization Store.

  4. In the New Authorization Store dialog box, click Active Directory, XML file, or Microsoft SQL.

  5. In Store name, type the authorization store name or click Locations to find the authorization store. You cannot use Locations to browse for an SQL Server. You must know the location you want to use to create a store in SQL Server.

  6. (Optional) In Description, type a description for the new authorization store.

  7. Click OK

Additional considerations

  • To perform this procedure, you must be working in developer mode.


Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

To create an authorization store that is stored in Active Directory, use the LDAP name (for example, *CN=myStore,CN=Program Data,DN=nwtraders,DN=com*). A store may be created in an Active Directory Domain Services (AD DS) partition or in an Active Directory Lightweight Directory Services (AD LDS) partition. AD LDS was formerly known as Active Directory/Application Mode (ADAM).  
  • Any user or group who is assigned to the Policy Administrator, Policy Reader, or Policy Delegated User role at any level (store, application, or scope) for an Authorization Manager store that is stored in an AD LDS partition must also be added to the AD LDS Reader role of that AD LDS partition.

  • To create an XML-based authorization store, use a path and file name that is valid at runtime (for example, C:\AuthStores\MyStore.xml).

  • To create an SQL-based authorization store, use a URL beginning with the protocol prefix MSSQL://. See the related topics for details on how to format an SQL connection string as a URL.

  • By default, members of the local group Administrators, have sufficient rights and privileges to complete this task. In your environment, security may be managed such that non-administrators have additional rights.

  • If User Account Control is enabled, it can be configured to allow non-administrators to enter the credentials of an administrator to complete administrative tasks without being a member of the Administrators group.

  • If the store is being created on another computer, you must ensure that you have sufficient permissions to access and create the appropriate type of resources on that other computer.

Additional references