We help IT Professionals succeed at work.

Poll Active Directory user information

183 Views
Last Modified: 2017-03-17
We are about to deploy a new phone system - Cisco BE6000. The vendor doing the installation indicates that this system can integrate with Active Directory. They are requesting that I create a user within our Active Directory that can poll AD user information, saying the account requires permissions to pull users from AD and for user authentication

We are currently running with 2 domain controllers, 1 running Server 2012 R2 and the other 2008 R2
Any assistance to properly create this user account would be appreciated

Thank you
Comment
Watch Question

A lack of information provides a lack of a decent solution.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
How does this allow for the new account created to pullAD information?
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Because it'll be an active directory account with access to the LDAP schema....

All accounts have access to AD, otherwise, how would they authenticate? :D

it's just an account which can pass user credentials from the phone, to AD, to authenticate
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Blocking interactive logons is not an effective mechanism to prevent the abuse of the over permission given by adding account into Domain Admin group.

A standard user account has enough permission to read information from Active Directory.
If they need anything specific, let them provide it in detail and only delegate that permission. Service accounts do not belong in DA group
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Which is why I stipulated in my first comment "You could probably get away with a standard user account in domain users"

Author

Commented:
Will not add account to Domain Admins
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
A service account should never be in DA, period
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Howay lads chill out, it's friday :)

As already posted a normal domain user should be fine, you should only need to bind to AD to read user attributes, and a normal domain user can do that - you may need to look at the documentation to see if its binding on TCP 389 (LDAP) or via LDAPS (TCP 636). If its the latter, just check you have a kerberos cert on the server (I do something similar here) if it works straight away then put you feet up, and have a brew!

P

Author

Commented:
Worked perfectly - Thanks
service accounts should never be in DA

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.