Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » ldap?
ldap? [message #158907] Tue, 21 July 2009 04:20 Go to next message
Nenad Veselinov  is currently offline Nenad Veselinov  Serbia
Messages: 5
Registered: July 2009
Junior Member
Hi I have a problem regarding ldap query. I want to create a user with one
purpose, to read AD, to do ldap query and nothing else. I need it for an
application that will be used by other. Is there a way to do it?



Thanks in advance !

Nenad Veselinov
Re: ldap? [message #158909 is a reply to message #158907] Tue, 21 July 2009 05:36 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Nenad Veselinov wrote:
> Hi I have a problem regarding ldap query. I want to create a user with one
> purpose, to read AD, to do ldap query and nothing else. I need it for an
> application that will be used by other. Is there a way to do it?

Does that user need any special read access to a certain attribute or
object? By default, normal users have the ability to browse and read in AD.

Cheers,
Florian
Re: ldap? [message #158910 is a reply to message #158907] Tue, 21 July 2009 06:06 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
By default users have that right.
- Additionally users have the right to add 10 workstations to the domain by
default, you can change that adjusting the ms-DS-MachineAccountQuota and the
policy Add workstations to domain. There're other options that you can
"tune-up", for example you can restrict that user account to log only on a
particular computer (check user properties in AD), or deny the interactive
logon, etc...

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
news:OOT%23AwdCKHA.3800@TK2MSFTNGP04.phx.gbl...
> Hi I have a problem regarding ldap query. I want to create a user with one
> purpose, to read AD, to do ldap query and nothing else. I need it for an
> application that will be used by other. Is there a way to do it?
>
>
>
> Thanks in advance !
>
> Nenad Veselinov
>
>
Re: ldap? [message #158912 is a reply to message #158909] Tue, 21 July 2009 07:37 Go to previous messageGo to next message
Nenad Veselinov  is currently offline Nenad Veselinov  Serbia
Messages: 5
Registered: July 2009
Junior Member
the user just need`s to sync corporate directory with ad and nothing else

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:uZPvLbeCKHA.4376@TK2MSFTNGP04.phx.gbl...
> Howdie!
>
> Nenad Veselinov wrote:
>> Hi I have a problem regarding ldap query. I want to create a user with
>> one purpose, to read AD, to do ldap query and nothing else. I need it for
>> an application that will be used by other. Is there a way to do it?
>
> Does that user need any special read access to a certain attribute or
> object? By default, normal users have the ability to browse and read in
> AD.
>
> Cheers,
> Florian
Re: ldap? [message #158913 is a reply to message #158907] Tue, 21 July 2009 08:23 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
As others have mentioned by default users should have read access. As a
matter of fact you may be handing out to much access and not even be aware
of it. The group "Pre-Windows 2000 Compatibility Access" can be providing
more access than you originally realized. Take a look at:

http://www.windowsecurity.com/articles/Active-Directory-info rmation-exposed-users.html

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
news:OOT%23AwdCKHA.3800@TK2MSFTNGP04.phx.gbl...
> Hi I have a problem regarding ldap query. I want to create a user with one
> purpose, to read AD, to do ldap query and nothing else. I need it for an
> application that will be used by other. Is there a way to do it?
>
>
>
> Thanks in advance !
>
> Nenad Veselinov
>
>
Re: ldap? [message #158919 is a reply to message #158907] Tue, 21 July 2009 08:43 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Nenad,

As already mentioned, all domain members are able to read the information
from AD. So it shouldn't be a problem in your case.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi I have a problem regarding ldap query. I want to create a user with
> one purpose, to read AD, to do ldap query and nothing else. I need it
> for an application that will be used by other. Is there a way to do
> it?
>
> Thanks in advance !
>
> Nenad Veselinov
>
Re: ldap? [message #158921 is a reply to message #158907] Tue, 21 July 2009 09:06 Go to previous messageGo to next message
Nenad Veselinov  is currently offline Nenad Veselinov  Serbia
Messages: 5
Registered: July 2009
Junior Member
Thanks to all,



I need to clarify my question, that user that I want to create must not be
able to use any other network service besides reading ad. Sole purpose of
that user is to give access to Cisco CallManager so he can populate
corporate directory but from security reasons I don't want to grant any
other rights to that user because it will be used by outside sister company.



I hope now you understand my Q



Thanks again

Nenad Veselinov
Re: ldap? [message #158932 is a reply to message #158921] Tue, 21 July 2009 12:13 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Create a user and don't place them in any group (Leave them in the domain
users group). They should be able to do what you require.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
> Thanks to all,
>
>
>
> I need to clarify my question, that user that I want to create must not be
> able to use any other network service besides reading ad. Sole purpose of
> that user is to give access to Cisco CallManager so he can populate
> corporate directory but from security reasons I don't want to grant any
> other rights to that user because it will be used by outside sister
> company.
>
>
>
> I hope now you understand my Q
>
>
>
> Thanks again
>
> Nenad Veselinov
>
>
Re: ldap? [message #158940 is a reply to message #158912] Tue, 21 July 2009 14:24 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Nenad Veselinov schrieb:
> the user just need`s to sync corporate directory with ad and nothing else

Okay, if it's a one way sync (AD --> corporate directory), AD read
rights should be sufficient and that can be done by any user created. No
special groups needed here.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: ldap? [message #158960 is a reply to message #158932] Wed, 22 July 2009 04:23 Go to previous messageGo to next message
Nenad Veselinov  is currently offline Nenad Veselinov  Serbia
Messages: 5
Registered: July 2009
Junior Member
Thanks but... :)

As a domain user group member he would have every right as any user in my
domain, and that is exactly what I want to avoid. The highlight in my
question is on minimum rights for a user, and the only right he should have
is to be able to read a list of users in AD (do a ldap query).








"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:ODwSt4hCKHA.4376@TK2MSFTNGP04.phx.gbl...
> Create a user and don't place them in any group (Leave them in the domain
> users group). They should be able to do what you require.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
> news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
>> Thanks to all,
>>
>>
>>
>> I need to clarify my question, that user that I want to create must not
>> be able to use any other network service besides reading ad. Sole purpose
>> of that user is to give access to Cisco CallManager so he can populate
>> corporate directory but from security reasons I don't want to grant any
>> other rights to that user because it will be used by outside sister
>> company.
>>
>>
>>
>> I hope now you understand my Q
>>
>>
>>
>> Thanks again
>>
>> Nenad Veselinov
>>
>>
>
>
Re: ldap? [message #158962 is a reply to message #158960] Wed, 22 July 2009 05:01 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Nenad,

When only you know the password of this user account and no one else have
access to the script, who should use that account? And you can also set with
GPO to 'deny logon locally' on all domain workstations for this account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks but... :)
>
> As a domain user group member he would have every right as any user in
> my domain, and that is exactly what I want to avoid. The highlight in
> my question is on minimum rights for a user, and the only right he
> should have is to be able to read a list of users in AD (do a ldap
> query).
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:ODwSt4hCKHA.4376@TK2MSFTNGP04.phx.gbl...
>
>> Create a user and don't place them in any group (Leave them in the
>> domain users group). They should be able to do what you require.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
>> news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
>>
>>> Thanks to all,
>>>
>>> I need to clarify my question, that user that I want to create must
>>> not be able to use any other network service besides reading ad.
>>> Sole purpose of that user is to give access to Cisco CallManager so
>>> he can populate corporate directory but from security reasons I
>>> don't want to grant any other rights to that user because it will be
>>> used by outside sister company.
>>>
>>> I hope now you understand my Q
>>>
>>> Thanks again
>>>
>>> Nenad Veselinov
>>>
Re: ldap? [message #158963 is a reply to message #158962] Wed, 22 July 2009 05:23 Go to previous messageGo to next message
Nenad Veselinov  is currently offline Nenad Veselinov  Serbia
Messages: 5
Registered: July 2009
Junior Member
Hello Meinolf,



It will not be used locally, that user will be used by a Cisco CallManager
in a sister company to populate a corporate directory, thus password for
that user will be given. And that is why all that security.





"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662a7e78cbd8d2ddbe5e2c@msnews.microsoft.com...
> Hello Nenad,
>
> When only you know the password of this user account and no one else have
> access to the script, who should use that account? And you can also set
> with GPO to 'deny logon locally' on all domain workstations for this
> account.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Thanks but... :)
>>
>> As a domain user group member he would have every right as any user in
>> my domain, and that is exactly what I want to avoid. The highlight in
>> my question is on minimum rights for a user, and the only right he
>> should have is to be able to read a list of users in AD (do a ldap
>> query).
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:ODwSt4hCKHA.4376@TK2MSFTNGP04.phx.gbl...
>>
>>> Create a user and don't place them in any group (Leave them in the
>>> domain users group). They should be able to do what you require.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
>>> news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
>>>
>>>> Thanks to all,
>>>>
>>>> I need to clarify my question, that user that I want to create must
>>>> not be able to use any other network service besides reading ad.
>>>> Sole purpose of that user is to give access to Cisco CallManager so
>>>> he can populate corporate directory but from security reasons I
>>>> don't want to grant any other rights to that user because it will be
>>>> used by outside sister company.
>>>>
>>>> I hope now you understand my Q
>>>>
>>>> Thanks again
>>>>
>>>> Nenad Veselinov
>>>>
>
>
Re: ldap? [message #158965 is a reply to message #158963] Wed, 22 July 2009 06:54 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
The additional rights are in my post response, if you want to restrict them
re-check the post again.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
news:%23Sa%23E4qCKHA.3708@TK2MSFTNGP02.phx.gbl...
> Hello Meinolf,
>
>
>
> It will not be used locally, that user will be used by a Cisco CallManager
> in a sister company to populate a corporate directory, thus password for
> that user will be given. And that is why all that security.
>
>
>
>
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662a7e78cbd8d2ddbe5e2c@msnews.microsoft.com...
>> Hello Nenad,
>>
>> When only you know the password of this user account and no one else have
>> access to the script, who should use that account? And you can also set
>> with GPO to 'deny logon locally' on all domain workstations for this
>> account.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Thanks but... :)
>>>
>>> As a domain user group member he would have every right as any user in
>>> my domain, and that is exactly what I want to avoid. The highlight in
>>> my question is on minimum rights for a user, and the only right he
>>> should have is to be able to read a list of users in AD (do a ldap
>>> query).
>>>
>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>> news:ODwSt4hCKHA.4376@TK2MSFTNGP04.phx.gbl...
>>>
>>>> Create a user and don't place them in any group (Leave them in the
>>>> domain users group). They should be able to do what you require.
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
>>>> news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
>>>>
>>>>> Thanks to all,
>>>>>
>>>>> I need to clarify my question, that user that I want to create must
>>>>> not be able to use any other network service besides reading ad.
>>>>> Sole purpose of that user is to give access to Cisco CallManager so
>>>>> he can populate corporate directory but from security reasons I
>>>>> don't want to grant any other rights to that user because it will be
>>>>> used by outside sister company.
>>>>>
>>>>> I hope now you understand my Q
>>>>>
>>>>> Thanks again
>>>>>
>>>>> Nenad Veselinov
>>>>>
>>
>>
>
>
Re: ldap? [message #158967 is a reply to message #158960] Wed, 22 July 2009 08:10 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Read only is all they will have. To restrict beyond this you would have to
start denying access.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
news:ec1IQWqCKHA.4392@TK2MSFTNGP03.phx.gbl...
> Thanks but... :)
>
> As a domain user group member he would have every right as any user in my
> domain, and that is exactly what I want to avoid. The highlight in my
> question is on minimum rights for a user, and the only right he should
> have is to be able to read a list of users in AD (do a ldap query).
>
>
>
>
>
>
>
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:ODwSt4hCKHA.4376@TK2MSFTNGP04.phx.gbl...
>> Create a user and don't place them in any group (Leave them in the domain
>> users group). They should be able to do what you require.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Nenad Veselinov" <nenad.veselinov@telelink.rs> wrote in message
>> news:%23x01AQgCKHA.5068@TK2MSFTNGP03.phx.gbl...
>>> Thanks to all,
>>>
>>>
>>>
>>> I need to clarify my question, that user that I want to create must not
>>> be able to use any other network service besides reading ad. Sole
>>> purpose of that user is to give access to Cisco CallManager so he can
>>> populate corporate directory but from security reasons I don't want to
>>> grant any other rights to that user because it will be used by outside
>>> sister company.
>>>
>>>
>>>
>>> I hope now you understand my Q
>>>
>>>
>>>
>>> Thanks again
>>>
>>> Nenad Veselinov
>>>
>>>
>>
>>
>
>
Previous Topic:AD trust and folder permission
Next Topic:Transitioning to Win2k8 AD - Adprep failing
Goto Forum:
  


Current Time: Fri Oct 20 03:12:10 EDT 2017

Total time taken to generate the page: 0.03144 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software