Member
Hey guys, am in need of some urgent help form you all. I have non windows devices that uses AD username and password to access the LDAP info. Call me paranoid but if someone should happen to access the device and extract the user/password I would like to at least prevent the user from logging on to the network.
I just wanted to know if there is any way to create an user without any other permission than reading ldap? If yes, please let me know how.
Thank you.
Member
Yep, that is possible. Create the user and assign him only the following rights:
- SeDenyBatchLogonRight
- SeDenyInteractiveLogonRight
- SeDenyRemoteInteractiveLogonRight
- SeDenyServiceLogonRight
Just remember not to remove SeDenyNetworkLogonRight because this will allow the user to authenticate over the network.
Member
Where do I find these settings?
Member
- Open ADSIEdit from the Windows 2000 Support Tools.
- Locate the Domain Naming Context folder. This folder has the LDAP path of your domain.
- Right-click the Domain Naming Context folder, and then click Properties.
- Click Security.
- Click Advanced.
- Click Add.
- Click the User Object user, and then click OK.
- Click the Permission Type tab.
- Click Inheritance from the Apply onto box.
- Click to select the Allow check box for the Permission.
Member
Thanks for the steps. I was hoping the solution in this thread would help, but it hasn't. Perhaps someone could help in my my scenario:
Native 2008 AD domain. We use a third-party app that allows authentication through LDAP. Regular users can authenticate in, but service accounts can't. Though I get a "user not found" error, the same error is generated when a user puts in the wrong password. I've tested placing the user(s) and service accounts in different OUs/containers, but that doesn't make any difference. The service account can log into a computer, so I know that it works otherwise. Vendor support says they have seen similar problems when the service account has read-only permissions to the AD, and that is what led me to this thread. And the LDAP guru for my environment tells me that there a problem in the app's code, however the vendor isn't admitting anything.
So with the tip from this thread, I gave the service account Full Control over the deepest child container it is in, but that didn't fix my problem.
Any suggestions out there?
Member
Hi a4andrew,
The error message that you are getting is very general and it does not explain any specific problem or reason itself. Microsoft has a very good article to fix this issue at http://support.microsoft.com/kb/324321/en-us. You can also try to use the below method and see if it helps:
- From the SQL Server running Windows 2008 R2, Click Start-> Run and type the command GPEDIT.MSC. This will open the Policy Editor.
- From Policy Editor Expand “Computer configuration” - > Windows Settings -> Security Setttings -> Local Policies -> Security Options.
- You will see all security policies on right hand side window. Make changes into the following two policies.
- Domain member: Digitally encrypt secure channel data (when possible) – Disable this policy
- Domain member: Digitally sign secure channel data (when possible) – Disable this policy
After that close the policy editor and reboot.
Posting Permissions
Reply With Quote
Bookmarks