User permissions to read LDAP

Hello all -

We have an application that queries against AD using a specific user
account. However, at a new site we are working in, the user account that
they have created for us won't allow us to connect to AD.

My question is:

What is the minimum permissions that a user account needs to be able to
query AD?

As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
2003 domain, and on the Windows 2003 server in the client's environment.

In my environment, I can use my account and see all of the CN and OUs in my
domain. When I run the program on the server in the client's environment,
and I use the account they gave me, I get an error "Invalid Credentials"

Thanks!

just a simple user as authenticated users have permissions all over the
place to read. (unless that was changed)

you also may wanna have a look at:
http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
http://support.microsoft.com/?id=320528

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Galvanon" <galvanon@online.nospam> wrote in message
news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
> Hello all -
>
> We have an application that queries against AD using a specific user
> account. However, at a new site we are working in, the user account that
> they have created for us won't allow us to connect to AD.
>
> My question is:
>
> What is the minimum permissions that a user account needs to be able to
> query AD?
>
> As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
> 2003 domain, and on the Windows 2003 server in the client's environment.
>
> In my environment, I can use my account and see all of the CN and OUs in
> my domain. When I run the program on the server in the client's
> environment, and I use the account they gave me, I get an error "Invalid
> Credentials"
>
> Thanks!
>

How can we run a test to see if we can read AD?

CAn we do something like this in Internet Explorer?

ldap://gal-dc:3268 (It's a DC and a GC)

We get an "Operations Error" when we do that...


"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:%23%23KQKf3cGHA.3472@TK2MSFTNGP02.phx.gbl...
> just a simple user as authenticated users have permissions all over the
> place to read. (unless that was changed)
>
> you also may wanna have a look at:
> http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
> http://support.microsoft.com/?id=320528
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
> "Galvanon" <galvanon@online.nospam> wrote in message
> news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
>> Hello all -
>>
>> We have an application that queries against AD using a specific user
>> account. However, at a new site we are working in, the user account that
>> they have created for us won't allow us to connect to AD.
>>
>> My question is:
>>
>> What is the minimum permissions that a user account needs to be able to
>> query AD?
>>
>> As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
>> 2003 domain, and on the Windows 2003 server in the client's environment.
>>
>> In my environment, I can use my account and see all of the CN and OUs in
>> my domain. When I run the program on the server in the client's
>> environment, and I use the account they gave me, I get an error "Invalid
>> Credentials"
>>
>> Thanks!
>>
>
>

just logon with the user and do the queries while logged on as the user
account..

for querying AD you can use LDP while logged on or use ADFIND from joeware
http://www.joeware.net/win/free/tools/adfind.htm

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Galvanon" <galvanon@online.nospam> wrote in message
news:OR%234FL4cGHA.3712@TK2MSFTNGP03.phx.gbl...
> How can we run a test to see if we can read AD?
>
> CAn we do something like this in Internet Explorer?
>
> ldap://gal-dc:3268 (It's a DC and a GC)
>
> We get an "Operations Error" when we do that...
>
>
> "Jorge de Almeida Pinto [MVP]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:%23%23KQKf3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>> just a simple user as authenticated users have permissions all over the
>> place to read. (unless that was changed)
>>
>> you also may wanna have a look at:
>> http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
>> http://support.microsoft.com/?id=320528
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "Galvanon" <galvanon@online.nospam> wrote in message
>> news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>> Hello all -
>>>
>>> We have an application that queries against AD using a specific user
>>> account. However, at a new site we are working in, the user account
>>> that they have created for us won't allow us to connect to AD.
>>>
>>> My question is:
>>>
>>> What is the minimum permissions that a user account needs to be able to
>>> query AD?
>>>
>>> As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
>>> 2003 domain, and on the Windows 2003 server in the client's environment.
>>>
>>> In my environment, I can use my account and see all of the CN and OUs in
>>> my domain. When I run the program on the server in the client's
>>> environment, and I use the account they gave me, I get an error
>>> "Invalid Credentials"
>>>
>>> Thanks!
>>>
>>
>>
>
>

Invalid credentials means you dorked the userid or password. If it was a
security issue you just wouldn't see anything.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Galvanon wrote:
> Hello all -
>
> We have an application that queries against AD using a specific user
> account. However, at a new site we are working in, the user account that
> they have created for us won't allow us to connect to AD.
>
> My question is:
>
> What is the minimum permissions that a user account needs to be able to
> query AD?
>
> As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
> 2003 domain, and on the Windows 2003 server in the client's environment.
>
> In my environment, I can use my account and see all of the CN and OUs in my
> domain. When I run the program on the server in the client's environment,
> and I use the account they gave me, I get an error "Invalid Credentials"
>
> Thanks!
>
>

Galvanon wrote:
> How can we run a test to see if we can read AD?
>
> CAn we do something like this in Internet Explorer?
>
> ldap://gal-dc:3268 (It's a DC and a GC)

you can't connect to ldap on 3268. Use 389 for ldap communication.

>
> We get an "Operations Error" when we do that...
>
>
> "Jorge de Almeida Pinto [MVP]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:%23%23KQKf3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>> just a simple user as authenticated users have permissions all over the
>> place to read. (unless that was changed)
>>
>> you also may wanna have a look at:
>> http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
>> http://support.microsoft.com/?id=320528
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "Galvanon" <galvanon@online.nospam> wrote in message
>> news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>> Hello all -
>>>
>>> We have an application that queries against AD using a specific user
>>> account. However, at a new site we are working in, the user account that
>>> they have created for us won't allow us to connect to AD.
>>>
>>> My question is:
>>>
>>> What is the minimum permissions that a user account needs to be able to
>>> query AD?
>>>
>>> As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
>>> 2003 domain, and on the Windows 2003 server in the client's environment.
>>>
>>> In my environment, I can use my account and see all of the CN and OUs in
>>> my domain. When I run the program on the server in the client's
>>> environment, and I use the account they gave me, I get an error "Invalid
>>> Credentials"
>>>
>>> Thanks!
>>>
>>
>
>

If it is a GC you certainly can.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Brandon McCombs wrote:
> Galvanon wrote:
>> How can we run a test to see if we can read AD?
>>
>> CAn we do something like this in Internet Explorer?
>>
>> ldap://gal-dc:3268 (It's a DC and a GC)
>
> you can't connect to ldap on 3268. Use 389 for ldap communication.
>
>>
>> We get an "Operations Error" when we do that...
>>
>>
>> "Jorge de Almeida Pinto [MVP]"
>> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in
>> message news:%23%23KQKf3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> just a simple user as authenticated users have permissions all over
>>> the place to read. (unless that was changed)
>>>
>>> you also may wanna have a look at:
>>> http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
>>> http://support.microsoft.com/?id=320528
>>>
>>> --
>>>
>>> Cheers,
>>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>
>>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>>
>>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>> -----------------------------------------------------------------------------
>>>
>>> * This posting is provided "AS IS" with no warranties and confers no
>>> rights!
>>> * Always test before implementing!
>>> -----------------------------------------------------------------------------
>>>
>>>
>>>
>>> -----------------------------------------------------------------------------
>>>
>>> "Galvanon" <galvanon@online.nospam> wrote in message
>>> news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>> Hello all -
>>>>
>>>> We have an application that queries against AD using a specific user
>>>> account. However, at a new site we are working in, the user account
>>>> that they have created for us won't allow us to connect to AD.
>>>>
>>>> My question is:
>>>>
>>>> What is the minimum permissions that a user account needs to be able
>>>> to query AD?
>>>>
>>>> As a test, I installed the Softerra LDAP Browser 2.6, both in my
>>>> windows 2003 domain, and on the Windows 2003 server in the client's
>>>> environment.
>>>>
>>>> In my environment, I can use my account and see all of the CN and
>>>> OUs in my domain. When I run the program on the server in the
>>>> client's environment, and I use the account they gave me, I get an
>>>> error "Invalid Credentials"
>>>>
>>>> Thanks!
>>>>
>>>
>>
>>

Does binding to AD (authentication) different between 2000AD and 2003AD?

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:O1%23wAUJdGHA.1272@TK2MSFTNGP03.phx.gbl...
> If it is a GC you certainly can.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
>
> Brandon McCombs wrote:
>> Galvanon wrote:
>>> How can we run a test to see if we can read AD?
>>>
>>> CAn we do something like this in Internet Explorer?
>>>
>>> ldap://gal-dc:3268 (It's a DC and a GC)
>>
>> you can't connect to ldap on 3268. Use 389 for ldap communication.
>>
>>>
>>> We get an "Operations Error" when we do that...
>>>
>>>
>>> "Jorge de Almeida Pinto [MVP]"
>>> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
>>> news:%23%23KQKf3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>> just a simple user as authenticated users have permissions all over the
>>>> place to read. (unless that was changed)
>>>>
>>>> you also may wanna have a look at:
>>>> http://www.petri.co.il/anonymous_lda...ws_2003_ad.htm
>>>> http://support.microsoft.com/?id=320528
>>>>
>>>> --
>>>>
>>>> Cheers,
>>>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>>
>>>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>>>
>>>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>>> -----------------------------------------------------------------------------
>>>>
>>>> * This posting is provided "AS IS" with no warranties and confers no
>>>> rights!
>>>> * Always test before implementing!
>>>> -----------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> -----------------------------------------------------------------------------
>>>>
>>>> "Galvanon" <galvanon@online.nospam> wrote in message
>>>> news:%23LTvZK3cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>> Hello all -
>>>>>
>>>>> We have an application that queries against AD using a specific user
>>>>> account. However, at a new site we are working in, the user account
>>>>> that they have created for us won't allow us to connect to AD.
>>>>>
>>>>> My question is:
>>>>>
>>>>> What is the minimum permissions that a user account needs to be able
>>>>> to query AD?
>>>>>
>>>>> As a test, I installed the Softerra LDAP Browser 2.6, both in my
>>>>> windows 2003 domain, and on the Windows 2003 server in the client's
>>>>> environment.
>>>>>
>>>>> In my environment, I can use my account and see all of the CN and OUs
>>>>> in my domain. When I run the program on the server in the client's
>>>>> environment, and I use the account they gave me, I get an error
>>>>> "Invalid Credentials"
>>>>>
>>>>> Thanks!
>>>>>
>>>>
>>>
>>>

Hi,

One of the main differences, from your standpoint, is that anonymous
access is enabled by default in Win2K AD, whereas it is DISABLED by
default in Win2K3 AD. See the links that Jorge provided earlier in this
thread.

Jim



Galvanon wrote:
> Does binding to AD (authentication) different between 2000AD and 2003AD?