Windows 2003 security question
From: Daniel Nerenberg (daniel.nerenberg_at_VIRCOM.COM)
Date: 01/16/04
- Previous message: Steve Mansfield: "Users can install SSL Certtificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 16 Jan 2004 16:48:29 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Don't know if this is really Bugtraq worthy, but I can't find anything
on this anywhere.
Here is my setup:
Windows 2000 AD domain.test the 2000 hosts a Global Catalog, and several
users for test purposes
The application we support uses LDAP to verify e-mail address existence.
We use a LDAP query to find out if the mail attribute or the
proxyAddress attribute have valid information. With Windows 2000 this
has always worked very well. Most of the time out end users don't feel
comfortable using the administrator account to read the Active Directory
so we get them to create an account that has read permissions and help
them construct a User DN that corresponds to the newly created account.
Again Windows 2000 SP4 works perfectly. So I can log and browse the AD
with both and Admin account and a user created account with the
appropriate permissions.
Now enters a weird twist. Windows 2003 server. I integrated my 2003
server into my Active directory. (I ran adprep, and the promo'd my 2003
to a DC) I try to run my AD attribute validations on the new 2003 DC
and it works only for the Admin account. If I use my user created
account I get an [error 49] Invalid Credentials. I figured it was a new
security rule or permission associated with 2003, but I can still
connect to my Windows 2000 server and browse the AD with the user
credentials. I check DC security policy and played with various options
and I still couldn't make it work. I don't know if I'm missing something
obvious here, but I find it somewhat weird that the only account that
can get read(etc) access to a 2003 hosted AD is the Administrator
account. Do I need some sort of certificate or special permission?
Any help here would be greatly appreciated.
Thanks Much!
Daniel Nerenberg
Vircom Technical Support
www.vircom.com
-----
Editor's Note: The 43rd Most Powerful Person in Networking says...
Out of Office replies to list messages cause you to be unsubscribed automatically. Either subscribe a Public Folder, or ensure your rules are set to ensure list messages are filtered prior to your Out of Office reply. Such automatic replies are a bane to posters, and cause us to have fewer researchers post to NTBugtraq.
-----
- Previous message: Steve Mansfield: "Users can install SSL Certtificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
