How prevent AD account from logging on but allow ldap query of AD

We're creating a role account to be used by a 3rd party system on our network that needs to be able to query AD but we'd like to prevent anyone from using that role account to actually log in to AD.  Is that possible?

If so, how?

Our AD domain functional level is 2003, but we have a mix of Server 2008 and Server 2003 DC's.  We're trying to get to a place where we can retire our Server 2003 DC but we're not there yet.

Thanks!
LVL 1
RhoSysAdminAsked:
Who is Participating?
 
MaheshArchitectCommented:
Just go to user ad properties, navigate to accounts tab \ log on to and select the following computer and click OK.
Do not add any computer there, or add any disabled computer account there
Now user will able to make LDAP query but could not be logon to any computers in domain

Mahesh
0
 
RhoSysAdminAuthor Commented:
Perfectly simple solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.