Before you can use Authorization Manager to control access to resources, you must create an authorization store.
Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.
|To create an authorization store|
Open Authorization Manager.
If necessary, switch to developer mode by changing the Authorization Manager options.
In the console tree, right-click Authorization Manager, and then click New Authorization Store.
In the New Authorization Store dialog box, click Active Directory, XML file, or Microsoft SQL.
In Store name, type the authorization store name or click Locations to find the authorization store. You cannot use Locations to browse for a computer running Microsoft SQL Server. You must know the location you want to use to create a store in SQL Server.
(Optional) In Description, type a description for the new authorization store.
To perform this procedure, you must be working in developer mode.
To create an authorization store that is stored in Active Directory Domain Services (AD DS), use the Lightweight Directory Access Protocol (LDAP) name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com). A store may be created in an AD DS partition or in an Active Directory Lightweight Directory Services (AD LDS) partition. AD LDS was formerly known as Active Directory/Application Mode (ADAM).
Any user or group who is assigned to the Policy Administrator, Policy Reader, or Policy Delegated User role at any level (store, application, or scope) for an Authorization Manager store that is stored in an AD LDS partition must also be added to the AD LDS Reader role of that AD LDS partition.
To create an XML-based authorization store, use a path and file name that is valid at run time (for example, C:\AuthStores\MyStore.xml).
To create an SQL-based authorization store, use a URL beginning with the protocol prefix MSSQL://. See "Additional references" for details on how to format an SQL connection string as a URL.
By default, members of the local Administrators group have sufficient rights and privileges to complete this task. In your environment, security may be managed so that non-administrators have additional rights.
If User Account Control is enabled, it can be configured to allow non-administrators to enter the credentials of an administrator to complete administrative tasks without being a member of the Administrators group.
If the store is being created on another computer, you must ensure that you have sufficient permissions to access and create the appropriate type of resources on that other computer.