Permissions to set on user to read from Active Directory only

active-directory windows-server-2008-r2 groups
5,993

Since you didn't mention any restrictions as far as the account only being able to read portions of the directory, I see no need to overthink this. The "Domain Users" default group already has bare minimum rights. It has the rights to read user, group and computer objects from the directory though, which is what you want to do.

I would create a group called "Service Accounts," or something similar, and add your special user to that group. Then I would modify a domain-level GPO that sets the "Deny log on locally" and "Deny log on through Remote Desktop" settings for the Service Accounts group.

Even if someone did compromise that account, they won't be able to interactively log on to any domain computers with it, nor will they have sufficient privileges to do anything useful using a network logon.

Share:
5,993

Related videos on Youtube

someone1
Author by

someone1

SOreadytohelp

Updated on September 18, 2022

Comments

  • someone1
    someone1 over 1 year

    I have to setup user accounts for applications to use to get a list of users and group memberships from our domain. As such, I'd like these applications to use credentials for user accounts with bare minimum access to my network as possible.

    What I've done was create basic users that cannot change passwords, group membership is "Domain Users", and I set the password to an obnoxiously long randomly generated one.

    Is there a particular built-in security group that I should be using instead? Is there another, more secure way of creating a user and granting them this kind of access?

    Any and all help would be greatly appreciated!

    • tony roth
      tony roth almost 11 years
      The issue with "domain users" is that you don't (maybe you do) know where its been applied and which permissions were granted.
    • someone1
      someone1 almost 11 years
      Right, and if the credentials were ever stolen due to the 3rd party app being unsafe, then someone can use them to logon to domain PCs. I have security settings in place to prevent server access and access to shared resources, but limiting access to solely being able to list active directory users/group memberships would be ideal
    • tony roth
      tony roth almost 11 years
      you could just give the user read access to the root of the ou that contains the groups/users and remove the account from domain users.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Joining an Active Directory domain using netdom
Edit Sudoers file to allow sudo rights to a AD domain group
Is there any way to query a list of users who can access a VPN connection in Windows Server 2008 R2
Lync server 2010 Active Directory Preparation with a Windows Server 2003 DC
How to make a CentOS linux server for Active Directory
Get objectGUID and objectSid for Active Directory user
Wireless Client (Laptop) unable to connect to domain (windows server)
AdPrep logs show an LDAP error
Powershell - How to find who is a local administrator on the servers in Active Directory
Local group policy not applying (gpresult says its empty, but it's not)