Solved

How does the active diretory user attribute 'Log on to' work?

Posted on 2011-02-15
13
475 Views
Last Modified: 2012-05-11
I have a service account that has access only to the two application servers it runs jobs on; however it needs to connect to a domain controller to read active directory for user accounts.  Does it need to be granted the user right for 'log on to' in AD?  How does this permission really work?  
0
Comment
Question by:childersj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34900270
Just install on his workstation

if XP -> administrative tools
if 7 -> RSAT

and he will use dsa.msc console to see AD Users and Computers without need to log on to the DC

Regards,
Krzysztof
0
 

Author Comment

by:childersj
ID: 34900321
Hmm, thats not really what I was looking for.  This is for business objects application that will be used to read out of AD and populate the information in business objects.  We will be authenticating users through this as well.  It needs to go through AD.  I'm not sure exactly what locking down the 'log on to' feature prevents from happening which is what I am trying to find out.  I don't know if it is talking about interactive logons or if it would block the ldap call to the DC as well.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34900363
It blocks interactive logon. You can still query AD using LDAP syntax. Allowing users direct access to the DC is bad practice. If you can avoid that, do not allow them log on locally to the DCs.

I think that this application would query LDAP for atributes. In case that it needs to write any of them, please make sure that users working with that app, will have delegated apropriate rights to those objects.

Krzysztof
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:childersj
ID: 34900400
They only need read acces to AD, no writes.  They do not need the ability to log on to the DC, only to query for objects/attributes.  Not sure why this isn't working.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34900417
Do you see any error message or error in event log ?
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 34900439
The Log On To: is a method to restrict users from logging into, interactively, all computers in the domain.  By identifying specific computernames, typically workstations, in the LOG ON TO section, the user will ONLY be allowed to log on to those machines.

So, example, if JaneDoe user is only supposed to be allowed to log on to a single workstation in your company, you'd add the desired workstation to the Log On To list.
0
 

Author Comment

by:childersj
ID: 34900450
NO, that is the strange part, I don't see any errors anywhere.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34900480
What happens if your run grant that user local administrator rights and run this app?
0
 

Author Comment

by:childersj
ID: 34900603
Not able to grant local admin rights to this app.  This is a secured environment.  It doesn't need to have any admin rights.  I just checked AD and it has rights to read all attributes and permissions.  All attirbute lookups are default which is correct and distinguised name is correct.  I have no idea what else could be going on.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34900679
OK, secured environment? Firewall issues?

0
 
LVL 11

Expert Comment

by:techhealth
ID: 34901155
How does the service account "connect to a domain controller to read active directory for user accounts"?  Via what kind of LDAP/AD api?  If the account looks normal in AD, then you might want to troubleshoot the access venue.  The different ways AD gets exposed by have different subtle issues.
0
 

Author Comment

by:childersj
ID: 34962276
I'm not sure honestly what API it is using.  I believe Business Objects is Java based; however I did figure out the problem and it was that the attribute 'logon to' didn't specify the domain controller.  Once I added it there, it worked just fine.  I didn't think that it would work that way and slightly confused about why it does, but at least it is working now.  I just wish I could find some documentation about exactly how that attribute works.  Most of the documents on technet and the books I have basically just say that it controlls which systems you can access which is not a particuarly helpful description as it states the obvious and doesn't really describe how it works.  I appreciate all of the help.
0
 
LVL 11

Accepted Solution

by:
techhealth earned 500 total points
ID: 34964707
It's entirely possible that BO misused the ADSI API calls...  "Logon to" really just refers to whether an account/app is allowed to log on interactively to a machine (in your case DC), which is unnecessary for just authenticating users.  Glad you got it working anyway...
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question