Least privileges for LDAP Query

Hi,
Whats is the least privilege for an account to perform LDAP query in my Windows 2008 AD DC. Currently the ID has local admin rights. I would like to assign only very least privileges required to the account to do LDAP query , if possible.
Seculist2018 mAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
Pretty much any user account can query AD.  The "Authenticated Users" group has "Read" permissions.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seculist2018 mAuthor Commented:
Hi, Thanks for your response.

We have Wireless controller and Firewalls , those devices are required to do LDAP for windows domain authentication and they use an AD account but the account is in local admin group of the DC. If i remove the account from the local admin group, will the LDAP still work, will there be any impact ? I believe we tried the same in the past but it did not work well though.
0
Joseph HornseyPresident and JanitorCommented:
We're doing something similar where our Anti-Spam service does an LDAP query through our firewall to see if recipient addresses are valid.  For those, it's just a simple user account we set up.

Easiest thing to do is test it after hours and see what happens.  ;)
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Derek SouterITO Svc Delivery Cons IIICommented:
as Joseph Hornesy has already said, any standard AD account can query AD.    I am worried by your comment " the account is in local admin group of the DC".    a Domain Controller does not have a local admin group.   can you explain what you mean?
0
Seculist2018 mAuthor Commented:
Hi, the DC too has a inbuilt administrators group locally. I meant that group.
0
arnoldCommented:
you do not want to use an administrative account.
the DC's do not have "local" groups

create a new restricted user. and test its use from the device. often there are testing tools included that you can troubleshoot without impacting production.

You are vague on what you are using which makes it hard to provide an example on what you can do to test whether using a new check_it_out user with check_password to list data from an LDAP query against your DC.
0
Seculist2018 mAuthor Commented:
Hi, Ok. will  try with a domain user and get back with the results in due course,
0
arnoldCommented:
Depends on what you are using and capabilities, setting up an NPS (radius) would have a lower... ...
0
Derek SouterITO Svc Delivery Cons IIICommented:
so you have added a user account to the "inbuilt administrators" group on a Domain Controller - yeah, no, that is a bad idea.
0
Derek SouterITO Svc Delivery Cons IIICommented:
BTW - my initial reaction to your comment that you had added a user to the "Inbuilt Administrators" group on a Domain Controller, was more along the lines of "WTF!!!!! - NO, NO, NO, NO!!!! - step away from the computer now!"     This is such a bad idea, that I have literally only ever seen it done once in the last 18 years - and that was accidentally using a group policy that should never have been applied to servers.
0
Naveen SharmaCommented:
Min Security Rights to Preform LDAP Queries in Active Directory:
https://stackoverflow.com/questions/823184/min-security-rights-to-preform-ldap-queries-in-active-directory

Keeping your Active Directory secure when delegating privileges to users:
https://www.lepide.com/blog/keeping-your-active-directory-secure-when-delegating-privileges-to-users/
0
Shaun VermaakTechnical SpecialistCommented:
That is a very bad idea indeed... That gives more than enough permission to extract all your password hashes and offline crack them
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html
0
Joseph HornseyPresident and JanitorCommented:
Question answered satisfactorily
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
LDAP

From novice to tech pro — start learning today.