|
Posted by Roger Abell [MVP] on May 24, 2008, 3:56 am
Please log in for more thread options
> Not sure if this belongs here but this is the question. We have a devie
> which we would like to do an LDAP lookup against our 2003 AD. Now this is
> the twist...is it possible to base the account that this is done on a
> security group versus a specific account? Essentially looking for a way
> that
> only the persons within that group can execute this LDAP but not have it
> based only on one ID.
>
> Thanks!!
Well, I am not quite sure I am guessing what you ask by saying
is it possible to base the account that this is done on a security group
Does that mean: can we limit the account(s) doing the LDAP query to
members of a security group ?
In general, any forest account can use LDAP to query just about anything.
You can limit what account(s) can execute some app/script your dev
comes up with, sure, and by groups too. But that does not mean that
only those accounts are able to run the query used in the app/script.
To control what accounts can get results for some specific LDAP query
you would have to control what accounts can read the AD objects/attributes
in AD via their permissions - something you should only do with awareness
of possible implications.
Roger
| 
XML Sitemap