LDS Administration with ADSIEdit

Owned by Matthew Dove (Unlicensed)
Feb 07, 2017
5 min read

To enable non Active Directory access to TX, or Administration.

Step-by-step guide

Attached below is the Word Document to enable LDS and how to administer with ADSIEdit.


1 Introduction

 

ADSI Edit is a Microsoft-supplied LDAP editor which can be used to manage objects and attributes in Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).  It is implemented as a Microsoft Management Console (MMC) snap-in (ADSIEDIT.MSC) which is installed with either directory service.  It is accessible under Control Panel\Administrative Tools.

Here is a link for more information about ADSI Edit:

https://technet.microsoft.com/en-us/library/ebca3324-5427-471a-bc19-9aa1decd3d40

2 Set-up ADSI Edit for use with Simplify Printing TX Auth

 

These instructions assume that the Simplify Printing TX Auth installer has been successfully run.  If you are unable to get ADSI Edit working as described below… check out the InitLDS log file located here: C:\ProgramData\Tricerat\Simplify Printing TX\Logs.

LDS supports the simultaneous use of both Windows users and LDS users.  In other words, local or domain Windows users defined outside of an LDS instance can be specified as security principals within the instance.

During installation of the LDS instance, the user conducting the installation is made a member of the Administrators group (CN=Administrators,CN=Roles,CN=Configuration,CN=<GUID>) located in the instance’s Configuration partition.  The Administrators group defined in the Configuration partition is made a member of the Administrators group in the SPTX application partition.  Thus, the user who runs the Simplify Printing TX Auth installer has administrative access to the entire LDS instance.  By virtue of this special status, the installer can opt for a simpler ADSI Edit set-up… where he/she does not have to specify credentials.  I’ll go over this set-up first.

2.1 Simpler set-up for individual who installed Simplify Printing TX Auth

 

When ADSI Edit is launched for the first time, no connection exists to a directory service.  Action must be taken to set up a connection, but once set up, the connection will persist.

A connection is set-up via the Action | Connect to… menu item.  This menu item launches a Connection Settings dialog:



Set the controls to appear as such:


In this example, vm901.test.tricerat.com is the FQDN of the machine on which the AD LDS instance is running.  Localhost can be used if ADSI Edit is running on the same machine as the AD LDS instance.  In this example, we are not using the SSL port (636).  Press the OK button, and the connection is added to the left pane:



If encrypted traffic is desired between ADSI Edit and the LDS instance, use this approach instead:


 

2.2 Set-up for “admin” users defined within the AD LDS instance

 

If you are not the individual who installed Simplify Printing TX Auth, then it’s unlikely that your Windows account will be a member of the Administrators group in the Configuration partition… giving you implicit administrator access to the instance.  In this case, you will have to set-up ADSI Edit using credentials defined within the instance itself.

A single admin user is created during the Simplify Printing TX Auth process, but others may be defined at a later time.

Values in the Connection Settings dialog are similar to those above:


In this case, however, we must use the Advanced… button in the lower left part of the dialog:


If encrypted traffic is desired, use the procedure discussed above.

3 Adding a new user to the SPTX application partition

 

Once a connection to the SPTX partition is set-up in ADSI Edit, you can view and modify its contents.  Activities include creating new containers, creating new users and groups, and modifying group memberships.  In this section I will go over the procedure to create a new user, and make that user a member of the partition’s Administrators group.

It’s important to note that a user must be member of either the Readers group or the Administrators group in order to successfully authenticate using credentials.

The Users container is created during Simplify Printing TX Auth install process, and it’s recommended that new users be created within this container.  However, there is no general requirement that this be the case.

With the Users container selected in the pane on the left…


… select Action | New | Object… from the menu.  You can also launch the Create Object wizard by right-clicking on the CN=Users branch of the tree, or by right-clicking inside the pane on the right, and selecting New | Object….

Inside the Create Object dialog/wizard, select the user class at the bottom of the list, and click the Next button:


The Common-Name (cn) attribute for a user is the full name.  For example, if you are creating an account for John Doe… enter John Doe in the Value editbox, and click Next:


We are now presented with the last wizard page… where we’ll enter a value for one more attribute:


Press the More Attributes button on this page:


With Optional selected in the top combobox, select userPrincipalName in the lower combobox.  In the Edit Attribute editbox, enter the username of your choice, and press the Set button.  The username jdoe was used in this case:


Click the OK button on this dialog, and click the Finish button to end the Create Object wizard.  At this point, the new user object will have been created, but there are a few more steps before it is ready for use.

Right-click on the new user row in the right pane, and select Reset Password… from the context menu:


Enter a password which meets the complexity requirements for your system:


Once the password has been successfully set, double-click on the new user row in the right pane.  This launches the Attribute Editor for the object.  Scroll down until the msDS-UserAccountDisabled attribute is selected:


Double-click on the attribute, set the value to False, and click the OK button:


Scroll back up the attribute list to the distinguishedName attribute, double-click on the row, and perform a Ctrl-C to place the name into the clipboard.


Dismiss the dialog, and then press the OK button to close the Attribute Editor.  The user account is now enabled, but there is one last step.  We must add user jdoe to the partition’s Administrators group.

Select the CN=Roles leaf in the left pane:


Double-click on the Administrators row in the right pane to once again launch the Attribute Editor dialog.  Scroll down the attribute list, and select the member attribute:


Double-click on the member attribute to launch the Editor dialog:


Here we see our original admin user specified during the Simplify Printing TX Auth installation, and the Administrators group from the Configuration partition.

With jdoe’s distinguishedName attribute value still in the clipboard, click the Add DN… button and do a Ctrl-V to paste jdoe’s DN into the editbox:


Press the OK button, and verify that John Doe was added to the partition’s Administrators group:


Press OK to dismiss both Editor dialogs.  At this point, you have successfully created an SPTX admin user.