locked
LDAP authentication RRS feed

  • Question

  • I have 3 child domains and one parent domain. If we create a service account in one child domain, can this service account be used to do LDAP queries in all domains ( parent and child)? What permissions should the service account have?

    Sunday, June 19, 2016 7:01 AM

Answers

  • Any account able to perform the LDAP query within a single forest. You don't need any special permission.

    e.g. Using dsa.msc you can connect any domain.

    You need explicit ACL permission If you need to access different domain resources ;like UNC share.


    Regards,

    Biswajit

    MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

    Blog:   Script Gallary:   LinkedIn:   

    Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..


    • Edited by bshwjt Sunday, June 19, 2016 9:16 AM
    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:08 AM
    Sunday, June 19, 2016 9:14 AM
  • Also, if the information the account needs is in the Global Catalog, the query can target a GC, which will be on a DC in the local domain.

    Edit: To find all attributes replicated to the GC, run this at the command prompt of a DC (or client with RSAT):

    dsquery * -Filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -Attr LDAPDisplayName


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Sunday, June 19, 2016 10:22 AM
  • Hi,
    Please see details from:
    RECOMMENDATIONS FOR LDAP LOOKUP ACCOUNTS AND CONNECTIONS IN ACTIVE DIRECTORY
    http://morgansimonsenblog.azurewebsites.net/2013/10/25/recommendations-for-ldap-lookup-accounts-and-connections-in-active-directory/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:08 AM
    Thursday, June 23, 2016 6:48 AM
  • All normal user account has a ready permission to all Domain in a forest

    Regards www.windowstricks.in

    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:09 AM
    Thursday, June 23, 2016 6:25 PM

All replies

  • Any account able to perform the LDAP query within a single forest. You don't need any special permission.

    e.g. Using dsa.msc you can connect any domain.

    You need explicit ACL permission If you need to access different domain resources ;like UNC share.


    Regards,

    Biswajit

    MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

    Blog:   Script Gallary:   LinkedIn:   

    Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..


    • Edited by bshwjt Sunday, June 19, 2016 9:16 AM
    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:08 AM
    Sunday, June 19, 2016 9:14 AM
  • Also, if the information the account needs is in the Global Catalog, the query can target a GC, which will be on a DC in the local domain.

    Edit: To find all attributes replicated to the GC, run this at the command prompt of a DC (or client with RSAT):

    dsquery * -Filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -Attr LDAPDisplayName


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Sunday, June 19, 2016 10:22 AM
  • Hi,
    Please see details from:
    RECOMMENDATIONS FOR LDAP LOOKUP ACCOUNTS AND CONNECTIONS IN ACTIVE DIRECTORY
    http://morgansimonsenblog.azurewebsites.net/2013/10/25/recommendations-for-ldap-lookup-accounts-and-connections-in-active-directory/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:08 AM
    Thursday, June 23, 2016 6:48 AM
  • All normal user account has a ready permission to all Domain in a forest

    Regards www.windowstricks.in

    • Proposed as answer by Wendy Jiang Tuesday, June 28, 2016 9:17 AM
    • Marked as answer by Wendy Jiang Friday, July 1, 2016 7:09 AM
    Thursday, June 23, 2016 6:25 PM