Min Security Rights to Preform LDAP Queries in Active Directory

security active-directory ldap single-sign-on user-accounts
Xap picture Xap · May 5, 2009 · Viewed 29.8k times · Source

Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account?

Answer

mrTomahawk picture mrTomahawk · May 5, 2009

You can restrict/allow what a user can or see/query within AD by easily using the Delegation Wizard. You can access the Delegation Wizard easily by right-clicking on an OU, and the selecting Delegation Control. You als may want to take a look at these articles:

Default security concerns in Active Directory delegation

Best practices for delegating Active Directory administration: How delegation works in Active Directory

Best practices for delegating Active Directory administration: Case study: a delegation scenario

Related questions

Sql Server 2005 how to change dbo login name

I have a database with user 'dbo' that has a login name "domain\xzy". How do I change it from "domain\xzy" to "domain\abc".

Read More
HttpServletRequest.getRemoteUser() vs HttpServletRequest.getUserPrincipal().getName()

These two seem to be doing the same things. Can anyone explain the main difference between the two? When would you use one vs the other? HttpServletRequest.getRemoteUser() HttpServletRequest.getUserPrincipal().getName()

Read More
User Group and Role Management in .NET with Active Directory

I'm currently researching methods for storing user roles and permissions for .NET based projects. Some of these projects are web based, some are not. I'm currently struggling to find the best method to achieve what I'm looking for in a …

Read More