What permission a user need to view the rooDSE IN AD environment

We are doing some POC related to  Symantec Compliance security suit. For this, we are going to use a user to read all the information of AD. But we do not want to give user ADMINISTRATOR rights. So we spoke with Symantec team they said, user does not need Admin rights. USER NEEDS right to read the rootDSE information of AD. So What permission a user need to read the rootDSE in AD environment. Below is statement what symantec said...........

"For querying Windows targets, we create domain cache on CCS Manager to store the users, groups, computers and so on, for optimizing data collection. The domain cache can be created by an Active Directory user who is not a domain administrator but has read access over the RootDSE objects of Active Directory."
LVL 1
Arif KhanSystem AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
Microsoft have a blog post from the Directory Services team around this here. You can bind anonymously to RootDSE to get the LDAP information for an authenticated LDAP bind.
0
Arif KhanSystem AdministratorAuthor Commented:
Thank you but I need.............

Requirement--> We have created a new Windows Server where symantec team will run their software. That software will use logged in account to read the information of rootDSE.

Given link does not describe assigning permission requirement to a user to read the DB. And, that process can be run on DC only cause LDAP is just part of DC so when I will run software another server located in domain, it will not help me.
0
LearnctxEngineerCommented:
Well you said...

So What permission a user need to read the rootDSE in AD environment.

Active Directory permissions by default allow Authenticated Users out of the box to be able to query the directory (return all computers/users/groups/etc.). You do not need any special permissions unless you have modified the defaults.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Arif KhanSystem AdministratorAuthor Commented:
Can you give any document stating that everyone had deafult right to view rootDSE . I need show this to Symantec team. User is member of domain users, we. Nothing modified after creation
0
Kevin StanushApplication DeveloperCommented:
I tried to use LDP to view the security descriptor for RootDSE, but it wants a DN, and rootdse does not really have one.  All directory services that support LDAP have to provide a rootdse 'folder' which essentially is the starting point for knowing how a directory service is configured.  Without being able to read it, its really hard to make an LDAP management tool.  So, by default, any authenticated user can read it as others have pointed out.

That being said, the comments from Symantec don't make much sense, as there are not any domain objects under /rootdse.  You also don't need to be able to read /rootdse to get users, groups, etc.  You do need to read it for other things, and even our software will read it for some actions, but not to get a list of users, etc.

Maybe someone else can determine if /rootdse has a security descriptor, and show you how to display it.  I would setup your server and install your Symantec software, as it should work out of the box.  If it does not, then they have to provide information on how to configure it.

I also found this article which states that /rootdse by default allows anonymous connections, which makes some sense.  The other containers, such as cn=schema and cn=configuration allow authenticated only.  But this is a very technical article.  I would proceed without worrying about this.
0
McKnifeCommented:
Please test as follows:
Install RSAT on a VM. Logon as restricted user and add ADUC (the active directory users and computers snapin) to an mmc. Look at what you see - it will convince you that the user is (by default) able to see all AD objects that will matter for this purpose.

So I wonder if there is any need for action and what makes you think there is.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.