In Windows Server 2008, several new features were introduced in Authorization Manager. These include:
-
Authorization Manager stores can be stored in Microsoft SQL Server databases, Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), or XML files. For more information, see Connect to an SQL-based Authorization Store.
-
Support for business rule groups (groups whose membership is determined at run time by a script) is available. For more information, see Create an Application Group within an Authorization Store.
-
Support is available for custom object pickers, so that application administrators can use Authorization Manager for applications that use AD LDS or SQL user accounts. For more information about using a custom object picker, see Choose Users or Groups with a Custom Object Picker.
Many additional improvements and changes were made to Authorization Manager. Some of these are:
-
Improvements were made to the Authorization Manager application programming interface (API), including optimization of common functions and the introduction of simpler, faster versions of commonly used methods, such as AccessCheck.
-
LDAP queries are not limited to only user objects.
-
Additional events are recorded in the log if auditing is active.
-
The use of business rules and authorization rules is controlled by a registry setting. In Windows Server 2008 R2 and Windows Server 2008, rules are disabled by default. In earlier versions of Windows, rules were enabled by default.