Adding Users to the Directory Administrators List in Microsoft Metadirectory Services

Adding users to the Directory Administrators List enables you to identify modifications made in the logs by specific administrators user names. Without adding users to the list, any user who logs on as administrator (provided they know the correct password) can make modifications. With this scenario there is no way of identifying exactly who made the changes. This article describes how to add users to the Directory Administrators List object.

When you add users to the Directory Administrator list or other list objects, you should only add the user's alias, not the user object itself. The reason for this is that if you add the alias itself, it resides only under the the list object and nowhere else in the directory. If someone were to delete the list object, then this child object would also be removed.

Viewing the List of Users Added to the Directory Administrators List

1. Start Compass, and then log on with an administrator account.
2. Navigate in the Known Universe tree to the DSA object, which is your server name.
3. Locate the Directory Administrators list object. If you open the list object you will see the built-in administrator's user alias.

Adding an Alias for a User to the Directory Administrators List

1. Click on the Known Universe.
2. Navigate down the tree until you get to the user or users you want to make administrators.
3. Right-click the user, and then click Copy.
4. Right-click the Directory Administrators List object, and then click Paste.
5. Click Create alias to this entry, and then click OK. You should see the user's name and user icon with an arrow next to it indicating it is an alias.
   
   NOTE: At this point, the user can log on and will have administrator access to the object but will not be able to view the Application node. By default this is the Application OU but it could be configured differently during setup. However, they will be able to use the search utility and find users contained within the Application OU and modify their properties.

Setting Security for the Directory Administrators List Members

Allowing Members of the Directory Administrators List Read Access

Without setting the read access to the application node, the members of the Directory Administrators List will not be able to view the directory tree. However, by default the Directory Administrator List members will be able to search and find objects in the directory. The directory tree will be displayed while viewing the object found. Note that some objects will be modifiable, and others will not.

1. Select Application Node (the Applications OU).
2. On the Actions menu, click Access Control.
3. On the entry's Read Permissions tab, click New under Permissions Granted To.
4. On the entry's Read Permissions tab, click Specific under Permissions Granted To.
5. Click the Select button to view the Known Universe.
6. Navigate down the tree to the Directory Administrators List object, right-click the object, and then click Copy.
7. Click OK to close the Select windows.
8. Right-click the Specific box (it should be empty at this point), and then click Paste.
9. Click OK to save the contents.

Allowing Members of the Directory Administrators List Members to Modify the Application Node

The same basic steps can be used for other objects that have explicit Access Controls set:

1. Select Application Node (the Applications OU).
2. On the Actions menu, click Access Control.
3. On the entry's Modify Permissions tab, click New under Permissions Granted To.
4. On the entry's Read Permissions tab, click Specific under Permissions Granted To.
5. Click Select to view the Known Universe.
6. Navigate down the tree to the Directory Administrators List object, right-click the object, and then click Copy.
7. Click OK to close the Select windows.
8. Right-click the Specific box (it should be empty at this point), and then click Paste.
9. Click OK to save the contents.