AD user limited to read ldap only

[madistan]

I have a non-windows devices which needs to read AD LDAP. The device uses a AD username and password to access the LDAP info. Call me paranoid but if someone should happen to access the device and extract the user/password I would like to at least prevent the user from logging on to the network. Is is possible to create a user account that can only read ldap, and not have any other permissions?

Thanks for any help.

[TWG Tech]

Add your user to these Rights...

SeDenyBatchLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight
SeDenyServiceLogonRight

Do not remove the SeDenyNetworkLogonRight. This allows a user to authenticate over the network.

[a4andrew]

Where do I find these settings?

[JAMES_911]

1. Open ADSIEdit from the Windows 2000 Support Tools.
2. Locate the Domain Naming Context folder. This folder has the LDAP path of your domain.
3. Right-click the Domain Naming Context folder, and then click Properties.
4. Click Security.
5. Click Advanced.
6. Click Add.
7. Click the User Object user, and then click OK.
8. Click the Permission Type tab.
9. Click Inheritance from the Apply onto box.
10. Click to select the Allow check box for the Permission.

[a4andrew]

Thanks for the steps. I was hoping the solution in this thread would help, but it hasn't. Perhaps someone could help in my my scenario:

Native 2008 AD domain. We use a third-party app that allows authentication through LDAP. Regular users can authenticate in, but service accounts can't. Though I get a "user not found" error, the same error is generated when a user puts in the wrong password. I've tested placing the user(s) and service accounts in different OUs/containers, but that doesn't make any difference. The service account can log into a computer, so I know that it works otherwise. Vendor support says they have seen similar problems when the service account has read-only permissions to the AD, and that is what led me to this thread. And the LDAP guru for my environment tells me that there a problem in the app's code, however the vendor isn't admitting anything.

So with the tip from this thread, I gave the service account Full Control over the deepest child container it is in, but that didn't fix my problem.

Any suggestions out there?

[SUpER CoP]

Hi a4andrew,

The error message that you are getting is very general and it does not explain any specific problem or reason itself. Microsoft has a very good article to fix this issue at http://support.microsoft.com/kb/324321/en-us. You can also try to use the below method and see if it helps:

• From the SQL Server running Windows 2008 R2, Click Start-> Run and type the command GPEDIT.MSC. This will open the Policy Editor.
• From Policy Editor Expand “Computer configuration” - > Windows Settings -> Security Setttings -> Local Policies -> Security Options.
• You will see all security policies on right hand side window. Make changes into the following two policies.
  • Domain member: Digitally encrypt secure channel data (when possible) – Disable this policy
  • Domain member: Digitally sign secure channel data (when possible) – Disable this policy

After that close the policy editor and reboot.