RE: Restricting LDAP search permissions in AD2003

Unless my memory has gotten that bad, by default the account would have
to be at least in the Account Operators group in order to make any
modifications to a user object.

You can ensure that the account in question has DENY set for any Write
operation on user objects at the domain level. Also make sure that any
shares you have either have DENY for that user, or you aren't using
Everyone, Authenticated Users or Domain Users as the permitted group.

--
Ian Hayes
Systems Engineer
Nevada Cancer Institute
Office:(702) 822-5156
email: ihayes@xxxxxxxxxxxx
http://www.nevadacancerinstitute.org


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Paul Deasy
Sent: Wednesday, March 19, 2008 9:42 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Restricting LDAP search permissions in AD2003

I have had a couple of requests to have some internal intranet apps
configured so end-users could login via SSO (authenticating against
our AD2003 database.)

I'm trying to setup an AD2003 user account, which would be used when
configuring the LDAP authentication of the webapp, but I'm a bit
concerned that a basic domain-user level account would be able to do
more than just query the AD database with an LDAP query. I'm trying to
ensure that the useraccount would only be able to check permissions of
a security group.

Does anyone have (or know of) any recommended access controls for such
a user account setup? I want to be sure that this user account cannot
be used to modify user account permissions.

any suggestions would be much appreciated

PaulD


--------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments, is for the sole use of the intended
recipient(s) and may contain confidential, proprietary,
and/or privileged information protected by law. If you are
not the intended recipient, you may not use, copy, or
distribute this e-mail message or its attachments. If you
believe you have received this e-mail message in error,
please contact the sender by reply e-mail and destroy all
copies of the original message

Relevant Pages

  • Re: Unlock accounts in same security group - account operators
    ... permissions configured on the OU flow to child objects ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... not if they are in the Account Operators group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Administrator Account Access
    ... The Account Operators group is set with its default permissions to allow its ... >> As far as the Administrator Account,...just reset the password to ...
    (microsoft.public.security)
  • Re: Word Merge for an invoice
    ... The person who executes the merge needs to use the add-in. ... As Word document attached to e-mail message ... Doug Robbins - Word MVP, ... It can certainly handle Account Number, Name and Address and in your case, you would pick the Account Number as the Key Field as that is the one that would be unique. ...
    (microsoft.public.word.mailmerge.fields)
  • Re: To Field
    ... ISP won't allow more than, say, 50 recipients per e-mail message. ... account to spew out thousands of messages at the price for a personal ...
    (microsoft.public.outlook.general)
  • Re: error 0x800ccc80 when trying to send e-mail
    ... A test e-mail message could not be sent. ... account settings to send e-mail messages ... I'm on Vista 64, Outlook 2007, all current on updates, AVG AV, all current ... account settings, highlight the email account, and press repair above it ...
    (microsoft.public.outlook.general)