Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » read only account to AD
read only account to AD [message #161848] Thu, 08 October 2009 07:48 Go to next message
Bryce  is currently offline Bryce
Messages: 15
Registered: September 2009
Junior Member
Hi,
I need to create an account in our 2003 AD environment that can read only
from AD (LDAP).
The account can not be a member of any group (unless needed). i have been
notified that domain users group will give it too much permissions.
can i create a new group and give it just read only permissions to AD.
(remove the user from domain users group and add to new group). if so, what
minimum permissions would it need?


Thanks.
Re: read only account to AD [message #161854 is a reply to message #161848] Thu, 08 October 2009 09:12 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Bryce wrote:
> I need to create an account in our 2003 AD environment that can read only
> from AD (LDAP).
> The account can not be a member of any group (unless needed). i have been
> notified that domain users group will give it too much permissions.
> can i create a new group and give it just read only permissions to AD.
> (remove the user from domain users group and add to new group). if so, what
> minimum permissions would it need?

Well, any user you create from scratch in Active Directory has the
ability to read the directory and browse it. The user is able to change
a couple of its own attributes but not "memberOf" which dictates the
membership of a user - so that should be sufficient.

It is correct that, if you create a user, he's automatically added to
the "Domain Users" group. They have file permission rights whereever you
have "Authenticated Users" specified in ACLs. You would probably need to
create a new group and change that specific user's primary group
membership (there's a button for that in ADUC) to that newly created group.

Cheers,
Florian
Re: read only account to AD [message #161857 is a reply to message #161854] Thu, 08 October 2009 09:55 Go to previous messageGo to next message
Bryce  is currently offline Bryce
Messages: 15
Registered: September 2009
Junior Member
Hi,

Thanks for the reply.
I am looking for details base on the last line that you wrote:
"You would probably need to create a new group..."
if i create the new group, what permissions would i give it and where would
i do it.
would i have to add that group to the security in ADSIedit? or is there a
less risky place to add it.

Additionally, you mentioned "authenticated users". My goal is to have an
account that can only read AD and not have file permissions.

can you recommend a process?


i appreciate the feedback and thank you for your assistance.

Thanks.


"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> Bryce wrote:
> > I need to create an account in our 2003 AD environment that can read only
> > from AD (LDAP).
> > The account can not be a member of any group (unless needed). i have been
> > notified that domain users group will give it too much permissions.
> > can i create a new group and give it just read only permissions to AD.
> > (remove the user from domain users group and add to new group). if so, what
> > minimum permissions would it need?
>
> Well, any user you create from scratch in Active Directory has the
> ability to read the directory and browse it. The user is able to change
> a couple of its own attributes but not "memberOf" which dictates the
> membership of a user - so that should be sufficient.
>
> It is correct that, if you create a user, he's automatically added to
> the "Domain Users" group. They have file permission rights whereever you
> have "Authenticated Users" specified in ACLs. You would probably need to
> create a new group and change that specific user's primary group
> membership (there's a button for that in ADUC) to that newly created group.
>
> Cheers,
> Florian
>
Re: read only account to AD [message #161873 is a reply to message #161857] Thu, 08 October 2009 13:53 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Bryce,

On data shares where you configure the NTFS permissions (folder properties,
security tab), do not work with the builtin security groups like domain users
or authenticated users, here add your in AD UC self created security groups
with there needed permissions. This way you can easy exclude the accounts
that shouldn't have any permissons to the shared folder.
http://support.microsoft.com/kb/301195

http://technet.microsoft.com/en-us/library/bb727008.aspx

And as Florian said any user accountis able to read AD UC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> Thanks for the reply.
> I am looking for details base on the last line that you wrote:
> "You would probably need to create a new group..."
> if i create the new group, what permissions would i give it and where
> would
> i do it.
> would i have to add that group to the security in ADSIedit? or is
> there a
> less risky place to add it.
> Additionally, you mentioned "authenticated users". My goal is to have
> an account that can only read AD and not have file permissions.
>
> can you recommend a process?
>
> i appreciate the feedback and thank you for your assistance.
>
> Thanks.
>
> "Florian Frommherz [MVP]" wrote:
>
>> Howdie!
>>
>> Bryce wrote:
>>
>>> I need to create an account in our 2003 AD environment that can read
>>> only
>>> from AD (LDAP).
>>> The account can not be a member of any group (unless needed). i
>>> have been
>>> notified that domain users group will give it too much permissions.
>>> can i create a new group and give it just read only permissions to
>>> AD.
>>> (remove the user from domain users group and add to new group). if
>>> so, what
>>> minimum permissions would it need?
>> Well, any user you create from scratch in Active Directory has the
>> ability to read the directory and browse it. The user is able to
>> change a couple of its own attributes but not "memberOf" which
>> dictates the membership of a user - so that should be sufficient.
>>
>> It is correct that, if you create a user, he's automatically added to
>> the "Domain Users" group. They have file permission rights whereever
>> you have "Authenticated Users" specified in ACLs. You would probably
>> need to create a new group and change that specific user's primary
>> group membership (there's a button for that in ADUC) to that newly
>> created group.
>>
>> Cheers,
>> Florian
Re: read only account to AD [message #161904 is a reply to message #161857] Fri, 09 October 2009 00:23 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Bryce wrote:
> Thanks for the reply.
> I am looking for details base on the last line that you wrote:
> "You would probably need to create a new group..."
> if i create the new group, what permissions would i give it and where would
> i do it.
> would i have to add that group to the security in ADSIedit? or is there a
> less risky place to add it.

The newly created group would just be used to change a user's primary
group membership. You don't add the group anywhere and don't give it
permission to any ACLs on the file system or in Active Directory. You
don't need that group for reading in the directory - the user (newly
created) already has that permission afaik.

Florian
Re: read only account to AD [message #161905 is a reply to message #161904] Fri, 09 October 2009 00:34 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Okay,

Florian Frommherz [MVP] wrote:
> permission to any ACLs on the file system or in Active Directory. You
> don't need that group for reading in the directory - the user (newly
> created) already has that permission afaik.

Let me take that back. There's portions of the directory service that
can be read by normal users and there's portions you can't. Is there a
list of places the user needs access in the directory to? The whole
directory? If so, you'd need to change a couple of ACLs in the directory
to allow the user (or the newly created group the account is in) read
permission.

However, re-ACL'ing the whole directory may increase the DIT a little -
and pose another security risk. I'd check whether I can get away with
just re-configuring the user's primary group with a new group. If that
doesn't work for you, you may need to re-ACL the needed portions of the
directory.

Cheers,
Florian
Re: read only account to AD [message #162060 is a reply to message #161848] Wed, 14 October 2009 13:42 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
by default a user account in AD can ONLY read objects.

However, I do assume you have changed the option where EACH account can
create up to 10 computers in AD and join them!

see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Bryce" <Bryce@discussions.microsoft.com> wrote in message
news:3734C855-81D9-4274-90FF-1722829AC63D@microsoft.com...
> Hi,
> I need to create an account in our 2003 AD environment that can read only
> from AD (LDAP).
> The account can not be a member of any group (unless needed). i have been
> notified that domain users group will give it too much permissions.
> can i create a new group and give it just read only permissions to AD.
> (remove the user from domain users group and add to new group). if so,
> what
> minimum permissions would it need?
>
>
> Thanks.
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:tombstone
Next Topic:Password Policy in Server 2008 AD
Goto Forum:
  


Current Time: Fri Jan 19 00:41:41 MST 2018

Total time taken to generate the page: 0.04171 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software