Use the manage_dz command to enable or disable authorization in classic zones. In classic zones, authorization-related features are disabled by default, and the authorization store that is required for managing rights, roles, and restricted environment is not available in Active Directory.

To enable authorization in classic zones using ADEdit, you can run the manage_dz ‑on command. This command creates the authorization store if it does not exist, and sets the zone property that enables privilege elevation service features.

To disable authorization in a classic zone, you can run the manage_dz –off command. Running this command disables authorization services. The command does not remove any existing authorization data from Active Directory.

Zone type

Classic only


manage_dz [-on|-off]




This command takes the following options:

Option Description


Enables authorization for the currently selected zone and creates the authorization data store if it not currently defined in Active Directory.


Disables authorization for the currently selected zone. This option does not remove any data from the authorization data store if it currently exists.


This command takes no arguments.

Return value

This command returns nothing if it runs successfully.


create_zone classic4 cn=c125,cn=zones,dc=ross,dc=net
select_zone cn=c125,cn=zones,dc=ross,dc=net
manage_dz -on

This code example creates a zone, checks that authorization is disabled by default, then enables authorization for the zone.

Related commands

The following command performs actions related to this command:

  • is_dz_enabled checks whether authorization is currently enabled for a zone.