Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD Read only admin account in windows 2003 server

Posted on 2013-01-29
5
Medium Priority
?
1,754 Views
Last Modified: 2013-02-20
I run a Windows 2003 server network with Windows 7 workstations for small organization within a larger organization. We run our own forest/domain and servers for a business reason.

In moving to an enterprise remote access and MDM solution, the project managers working on this project wants me to create and provide them an AD admin account that is read only so that they can use this account to read my AD.

How do you create a readonly AD admin account?
0
Comment
Question by:TechGoingSolo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 8

Accepted Solution

by:
R_Edwards earned 2000 total points
ID: 38832320
Domains users by default have a read access to Active directory objects. So there is no need to creating a any group to accomplsih this.

Probably you need to install RSAT Tool on users system (I am assuming users are using windows vista or higher OS on their client system)

Download the RSAT Tool from below link and install it on the client sytems.

http://www.microsoft.com/download/en/details.aspx?id=7887

Refer below link to understand this better.

http://www.windowsecurity.com/articles/installing-using-remote-server-administration-tools-rsat-vista.html

Above link explains step by step procedure to install the RSAT Tool.( Window vista, windows 2008 Etc)

For Legacy operting systems (XP, windows server 2003) you need to use adminpak.msi.

http://support.microsoft.com/kb/314978
0
 

Author Comment

by:TechGoingSolo
ID: 38832413
This is what the project engineer emailed me asking for information.

"Also provide the admin DN (a read only account and password so that RSA can read your AD) and search DNs for users and groups"

So I can just create and send him a standard user account information?
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38832509
yep, I would test it out to ensure that you can access it.
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38833015
Sounds like they want to use their own ldap tools instead of active directory.. which is understandable


you need to find the 'path' of the account you created and provide it with LDAP syntax for the username DN:


search base (probably what he meant instead of search DNs):

This is usually:

CN=Users,DC=example,DC=com  If the users they need to search are located under the Users container

OU=Groups,DC=example,DC=com If the groups they need to search are located under the Groups OU


the username DN would be: CN=userexample,OU=examplechildou,OU=exampleparentou,DC=example,DC=com

Assuming that you created 'userexample' under a OU named 'examplechildou', which is a child of OU named 'exampleparentou', which is then directly under your domain: DC=example,DC=com
0
 
LVL 3

Expert Comment

by:jeorge
ID: 38834838
A Read Only Domain Admin is a contradiction in terms. A normal
authenticated user has the ability to read most things in a domain if they
have the right tools.

There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.
By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.

Just look at this link and look if it suits your need feasible..

http://technet.microsoft.com/en-us/library/hh356036.aspx

http://technet.microsoft.com/en-us/library/hh356036.aspx

Else you can use a third party tool for the same to make your work and your vendor work easier.

I f you want i can suggest you.
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question