Least privileges for LDAP Query

Hi,
Whats is the least privilege for an account to perform LDAP query in my Windows 2008 AD DC. Currently the ID has local admin rights. I would like to assign only very least privileges required to the account to do LDAP query , if possible.
Seculist2018 mAsked:
Who is Participating?
 
Joseph HornseyPresident and JanitorCommented:
Pretty much any user account can query AD.  The "Authenticated Users" group has "Read" permissions.
2
 
Seculist2018 mAuthor Commented:
Hi, Thanks for your response.

We have Wireless controller and Firewalls , those devices are required to do LDAP for windows domain authentication and they use an AD account but the account is in local admin group of the DC. If i remove the account from the local admin group, will the LDAP still work, will there be any impact ? I believe we tried the same in the past but it did not work well though.
0
 
Joseph HornseyPresident and JanitorCommented:
We're doing something similar where our Anti-Spam service does an LDAP query through our firewall to see if recipient addresses are valid.  For those, it's just a simple user account we set up.

Easiest thing to do is test it after hours and see what happens.  ;)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Derek SouterITO Svc Delivery Cons IIICommented:
as Joseph Hornesy has already said, any standard AD account can query AD.    I am worried by your comment " the account is in local admin group of the DC".    a Domain Controller does not have a local admin group.   can you explain what you mean?
0
 
Seculist2018 mAuthor Commented:
Hi, the DC too has a inbuilt administrators group locally. I meant that group.
0
 
arnoldCommented:
you do not want to use an administrative account.
the DC's do not have "local" groups

create a new restricted user. and test its use from the device. often there are testing tools included that you can troubleshoot without impacting production.

You are vague on what you are using which makes it hard to provide an example on what you can do to test whether using a new check_it_out user with check_password to list data from an LDAP query against your DC.
0
 
Seculist2018 mAuthor Commented:
Hi, Ok. will  try with a domain user and get back with the results in due course,
0
 
arnoldCommented:
Depends on what you are using and capabilities, setting up an NPS (radius) would have a lower... ...
0
 
Derek SouterITO Svc Delivery Cons IIICommented:
so you have added a user account to the "inbuilt administrators" group on a Domain Controller - yeah, no, that is a bad idea.
0
 
Derek SouterITO Svc Delivery Cons IIICommented:
BTW - my initial reaction to your comment that you had added a user to the "Inbuilt Administrators" group on a Domain Controller, was more along the lines of "WTF!!!!! - NO, NO, NO, NO!!!! - step away from the computer now!"     This is such a bad idea, that I have literally only ever seen it done once in the last 18 years - and that was accidentally using a group policy that should never have been applied to servers.
0
 
Naveen SharmaCommented:
Min Security Rights to Preform LDAP Queries in Active Directory:
https://stackoverflow.com/questions/823184/min-security-rights-to-preform-ldap-queries-in-active-directory

Keeping your Active Directory secure when delegating privileges to users:
https://www.lepide.com/blog/keeping-your-active-directory-secure-when-delegating-privileges-to-users/
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
That is a very bad idea indeed... That gives more than enough permission to extract all your password hashes and offline crack them
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html
0
 
Joseph HornseyPresident and JanitorCommented:
Question answered satisfactorily
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.