How to know if a Active Directory user can log in interactively

windows active-directory login user-permissions user-profile
5,714

Solution 1

An LDAP search is not enough, because the ability to perform an interactive logon is controlled by the security policy in the destination computer.

The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.

In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.

Solution 2

Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.

Solution 3

This is not an LDAP search - well - not directly - and there are various settings that come into play.

This setting is controlled either by a GPO or the local security policy.

See LOCAL SECURITY POLICY => Local Policies

Further this comes into play, 2.1.1 Interactive Logon Authentication:

Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.

Share:
5,714

Related videos on Youtube

Luigi
Author by

Luigi

Updated on September 18, 2022

Comments

  • Luigi
    Luigi over 1 year

    I would like to know if and how is it possible to know if an AD user can log in interactively (on a server) in a Windows domain.

    I need to know if I can find it out using an LDAP search.

    • Aaron Hudon
      Aaron Hudon over 5 years
      The answers mentioned about the interactive policy, however maybe your query is more about „not blocked, not expired and not disabled“? In that case using a bind with the User Account should help you for those kinds of AD flags.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I "allow logon locally" for ALL local accounts and some domain accounts?
How to turn Windows domain account to a local account
What is a difference between a member of "Users" group and not a member of any group on Windows?
Determining Logon date/time for user profiles on Windows
how to extract all permissions that a domain user have on the network
Can you use a local path for mandatory profiles?
One AD user Multiple Logins
Lock screen doesn't remember username
Users are getting a temporary profile
Login user picture on domain