• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 86
  • Last Modified:

What permission a user need to view the rooDSE IN AD environment

We are doing some POC related to  Symantec Compliance security suit. For this, we are going to use a user to read all the information of AD. But we do not want to give user ADMINISTRATOR rights. So we spoke with Symantec team they said, user does not need Admin rights. USER NEEDS right to read the rootDSE information of AD. So What permission a user need to read the rootDSE in AD environment. Below is statement what symantec said...........

"For querying Windows targets, we create domain cache on CCS Manager to store the users, groups, computers and so on, for optimizing data collection. The domain cache can be created by an Active Directory user who is not a domain administrator but has read access over the RootDSE objects of Active Directory."
0
Arif Khan
Asked:
Arif Khan
3 Solutions
 
LearnctxEngineerCommented:
Microsoft have a blog post from the Directory Services team around this here. You can bind anonymously to RootDSE to get the LDAP information for an authenticated LDAP bind.
0
 
Arif KhanSystem AdministratorAuthor Commented:
Thank you but I need.............

Requirement--> We have created a new Windows Server where symantec team will run their software. That software will use logged in account to read the information of rootDSE.

Given link does not describe assigning permission requirement to a user to read the DB. And, that process can be run on DC only cause LDAP is just part of DC so when I will run software another server located in domain, it will not help me.
0
 
LearnctxEngineerCommented:
Well you said...

So What permission a user need to read the rootDSE in AD environment.

Active Directory permissions by default allow Authenticated Users out of the box to be able to query the directory (return all computers/users/groups/etc.). You do not need any special permissions unless you have modified the defaults.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Arif KhanSystem AdministratorAuthor Commented:
Can you give any document stating that everyone had deafult right to view rootDSE . I need show this to Symantec team. User is member of domain users, we. Nothing modified after creation
0
 
Kevin StanushApplication DeveloperCommented:
I tried to use LDP to view the security descriptor for RootDSE, but it wants a DN, and rootdse does not really have one.  All directory services that support LDAP have to provide a rootdse 'folder' which essentially is the starting point for knowing how a directory service is configured.  Without being able to read it, its really hard to make an LDAP management tool.  So, by default, any authenticated user can read it as others have pointed out.

That being said, the comments from Symantec don't make much sense, as there are not any domain objects under /rootdse.  You also don't need to be able to read /rootdse to get users, groups, etc.  You do need to read it for other things, and even our software will read it for some actions, but not to get a list of users, etc.

Maybe someone else can determine if /rootdse has a security descriptor, and show you how to display it.  I would setup your server and install your Symantec software, as it should work out of the box.  If it does not, then they have to provide information on how to configure it.

I also found this article which states that /rootdse by default allows anonymous connections, which makes some sense.  The other containers, such as cn=schema and cn=configuration allow authenticated only.  But this is a very technical article.  I would proceed without worrying about this.
0
 
McKnifeCommented:
Please test as follows:
Install RSAT on a VM. Logon as restricted user and add ADUC (the active directory users and computers snapin) to an mmc. Look at what you see - it will convince you that the user is (by default) able to see all AD objects that will matter for this purpose.

So I wonder if there is any need for action and what makes you think there is.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now