TechGoingSolo
asked on
AD Read only admin account in windows 2003 server
I run a Windows 2003 server network with Windows 7 workstations for small organization within a larger organization. We run our own forest/domain and servers for a business reason.
In moving to an enterprise remote access and MDM solution, the project managers working on this project wants me to create and provide them an AD admin account that is read only so that they can use this account to read my AD.
How do you create a readonly AD admin account?
In moving to an enterprise remote access and MDM solution, the project managers working on this project wants me to create and provide them an AD admin account that is read only so that they can use this account to read my AD.
How do you create a readonly AD admin account?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yep, I would test it out to ensure that you can access it.
Sounds like they want to use their own ldap tools instead of active directory.. which is understandable
you need to find the 'path' of the account you created and provide it with LDAP syntax for the username DN:
search base (probably what he meant instead of search DNs):
This is usually:
CN=Users,DC=example,DC=com If the users they need to search are located under the Users container
OU=Groups,DC=example,DC=co m If the groups they need to search are located under the Groups OU
the username DN would be: CN=userexample,OU=examplec hildou,OU= examplepar entou,DC=e xample,DC= com
Assuming that you created 'userexample' under a OU named 'examplechildou', which is a child of OU named 'exampleparentou', which is then directly under your domain: DC=example,DC=com
you need to find the 'path' of the account you created and provide it with LDAP syntax for the username DN:
search base (probably what he meant instead of search DNs):
This is usually:
CN=Users,DC=example,DC=com
OU=Groups,DC=example,DC=co
the username DN would be: CN=userexample,OU=examplec
Assuming that you created 'userexample' under a OU named 'examplechildou', which is a child of OU named 'exampleparentou', which is then directly under your domain: DC=example,DC=com
A Read Only Domain Admin is a contradiction in terms. A normal
authenticated user has the ability to read most things in a domain if they
have the right tools.
There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.
By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.
Just look at this link and look if it suits your need feasible..
http://technet.microsoft.com/en-us/library/hh356036.aspx
http://technet.microsoft.com/en-us/library/hh356036.aspx
Else you can use a third party tool for the same to make your work and your vendor work easier.
I f you want i can suggest you.
authenticated user has the ability to read most things in a domain if they
have the right tools.
There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.
By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.
Just look at this link and look if it suits your need feasible..
http://technet.microsoft.com/en-us/library/hh356036.aspx
http://technet.microsoft.com/en-us/library/hh356036.aspx
Else you can use a third party tool for the same to make your work and your vendor work easier.
I f you want i can suggest you.
ASKER
"Also provide the admin DN (a read only account and password so that RSA can read your AD) and search DNs for users and groups"
So I can just create and send him a standard user account information?