Need help to delegate minimal LDAP permissions without full Domain Admin
Need to know how to delegate the following permissions to Active Directory user object to provide LDAP queries for software product without needing full Domain Admin rights. The vendor stated the user object only needs "querying groups and perform searches on behalf of other users" permissions - but i can't find online how to delegate that permission. Please advise. Thanks.
ASKER
I'll check that URL out. thanks.
ASKER
This is in reference to applications needing active directory LDAP (EMC SAN needing AD auth/LDAP to authenticate admins, other apps needing LDAP ability that i don't want domain admin for) - not giving rights to specific local admin for servers or workstations (although this method can be handy when looking at other requirements).
the engineer that was implementing our SAN LDAP stated "querying groups and perform searches on behalf of other users" were needed above a regular domain user account. need to know (i assume using the AD delegation wizard?) how to assign specific rights needed to assign a domain user account to achieve LDAP ability (against domain controllers) without domain admin perms. thanks!
the engineer that was implementing our SAN LDAP stated "querying groups and perform searches on behalf of other users" were needed above a regular domain user account. need to know (i assume using the AD delegation wizard?) how to assign specific rights needed to assign a domain user account to achieve LDAP ability (against domain controllers) without domain admin perms. thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If they need admin on servers and workstations in addition to this, see this article
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html