The Directory Server provides three different classes of administrator accounts: root user, administrator, and global administrator. The root user is the LDAP-equivalent of a UNIX super-user account and inherits its privileges from the default root user privilege set (see Default Root Privileges). The root user "account" is an entry that is stored in the server’s configuration under the cn=Root DNs,cn=config and bypasses access control evaluation, and can be created manually, or with the dsconfig tool. This account has full access to the entire set of data in the Directory Information Tree (DIT) as well as full access to the server configuration and its operations. One important difference between other vendors’ servers and the Directory Server’s implementation is that the root user’s rights are granted through a set of privileges. This allows the Directory Server to have multiple root users on its system if desired; however, the normal practice is to set up administrator user entries. Also, by default, the Root User has no resource limits.

The administrator user can have a full set of root user privileges but often has a subset of these privileges to limit the accessible functions that can be performed. The administrators entries typically have limited access to the entire set of data in the directory information tree (DIT), which is controlled by access control instructions. These entries reside in the backend configuration (for example, uid=admin,dc=example,dc=com) and are replicated between servers in a replication topology. In some cases, administrator user accounts may be unavailable when the server enters lockdown mode unless the administrator is given the lock-down mode privilege.

A global administrator is primarily responsible for managing configuration server groups. A configuration server group is an administration domain that allows you to synchronize configuration changes to one or all of the servers in the group. For example, you can set up a group when configuring a replication topology, where configuration changes to one server can be applied to all of the servers at one time. Global Administrator entries are stored in the cn=Topology Admin Users,cn=Topology,cn=config backend are always mirrored across servers in a replication topology. These users can be assigned privileges like other admin users but are typically used to manage the data under cn=Topology,cn=config.