Click here to get back home

Allow app as user at child root read-only to all child AD objects
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Allow app as user at child root read-only to all child AD objects jremmc 08-09-2006
Posted by jremmc on August 9, 2006, 9:22 pm
Please log in for more thread options
 A new version of an application we use can LDAP query AD to use AD to
authenticate user logons. But it needs a user account at the root of our
child domain (we have an empty root domain) with read-only access to the
entire child level -- the app would use this account to search AD. (The old
version maintained its own database)

Is this ok security-wise?

Thanks,
jremmc




Posted by Joe Richards [MVP] on August 9, 2006, 10:55 pm
Please log in for more thread options
 Any normal userid in any domain of the forest by default can search all
userids of AD. The viewability of various attributes will depend
specifically on your current security configuration.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


jremmc wrote:
> A new version of an application we use can LDAP query AD to use AD to
> authenticate user logons. But it needs a user account at the root of our
> child domain (we have an empty root domain) with read-only access to the
> entire child level -- the app would use this account to search AD. (The old
> version maintained its own database)
>
> Is this ok security-wise?
>
> Thanks,
> jremmc
>
>
>

Posted by Microsoft Newsgroups on August 10, 2006, 12:08 pm
Please log in for more thread options
Hi Joe,

Thanks. Will forward your info to app admin.

jremmc

> Any normal userid in any domain of the forest by default can search all
> userids of AD. The viewability of various attributes will depend
> specifically on your current security configuration.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> jremmc wrote:
>> A new version of an application we use can LDAP query AD to use AD to
>> authenticate user logons. But it needs a user account at the root of our
>> child domain (we have an empty root domain) with read-only access to the
>> entire child level -- the app would use this account to search AD. (The
>> old version maintained its own database)
>>
>> Is this ok security-wise?
>>
>> Thanks,
>> jremmc
>>
>>


Similar ThreadsPosted
How to automatically inherit permission entries on child objects? January 21, 2006, 7:43 am
Windows 2003 - Child domain cannot request certificate from root domain January 11, 2008, 11:41 am
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm
Publish Certificates in AD - parent\child domain April 4, 2006, 6:13 pm
Child Pornographers to be Tracked by Financial Transactions May 28, 2006, 12:27 pm
Cannot manage Entreprise CA that is in parent domain from child domain May 7, 2008, 4:03 am
Make a filetype readonly March 13, 2007, 11:07 am
W2003 PKI: Publish certificates onto user objects in active directory December 14, 2005, 1:04 pm
Removing CA Objects from AD August 10, 2005, 10:51 am
Security on printer objects and the Printers web November 30, 2005, 4:53 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap