how to create a Read only LDAP user for MS Active Directory?

Posted on 2010-01-05
Last Modified: 2012-05-08

 I have a developer that is testing some software that connects to MS AD using LDAP, and I want create a group that has READ-ONLY rights to do so.  How do I create a user group for AD that has AD connect rights and read-only rights to users account information (as in an LDAP password verification query)?

 Any help and suggestions are welcome.

Question by:privasoft
    LVL 70

    Expert Comment

    by:Chris Dent

    Any regular (non-administrative) user account will be just that unless someone else has locked down AD to prevent it.

    LVL 7

    Accepted Solution

    You can create a group, go to adsiedit.msc and then on every partition that you see there (domain, configuration and Schema ) do a right click and go to their properties one by one to set security settings. You can specifically set deny permissions for that particular group.

    You can also do the same thing for DomainDNSZones and FOrestDNSZones as well.



    Author Closing Comment

    This is exactly what I needed. Thanks!.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now