none
Permissions required to query active directory?

    Question

  • What are the default permissions for a LOCAL user on a machine joined to the domain to use the net.exe command? Specifically something like:

    net group "domain admins" /domain

    Second question - is there a GPO that can deny a local user the ability to query AD, even if the machine is joined to the domain?

    Wednesday, April 24, 2013 2:40 PM

Answers

  • Thanks - not interested in blocking a domain user's ability to query AD. Just wondering about the local user's ability to do so. It seems that our local users can run => net group "domain admins" /domain

    Trying to hunt down the reason.

    If the local user has the same username and password as a domain user, the local user will be able to query Active Directory.  Otherwise by default the local users don't have any access.
    Wednesday, April 24, 2013 3:27 PM

All replies

  • A local user does not have permissions to query AD.

    You cannot deny a user to query AD without getting into a lot of trouble. After all, AD is where the domain's security info is stored. Each time a user tries to access a domain resource it needs to be able to query AD to verify that it has the required permissions. There is no difference between this kind of behind-the-scenes queries and a manual query as the one you describe above.

    Wednesday, April 24, 2013 2:50 PM
  • Thanks - not interested in blocking a domain user's ability to query AD. Just wondering about the local user's ability to do so. It seems that our local users can run => net group "domain admins" /domain

    Trying to hunt down the reason.

    Wednesday, April 24, 2013 2:57 PM
  • Thanks - not interested in blocking a domain user's ability to query AD. Just wondering about the local user's ability to do so. It seems that our local users can run => net group "domain admins" /domain

    Trying to hunt down the reason.

    If the local user has the same username and password as a domain user, the local user will be able to query Active Directory.  Otherwise by default the local users don't have any access.
    Wednesday, April 24, 2013 3:27 PM
  • Bingo, thanks Neil.
    Wednesday, April 24, 2013 4:02 PM