Allow app as user at child root read-only to all child AD objects

Discussion in 'Server Security' started by jremmc, Aug 10, 2006.

  1. jremmc

    jremmc Guest

    A new version of an application we use can LDAP query AD to use AD to
    authenticate user logons. But it needs a user account at the root of our
    child domain (we have an empty root domain) with read-only access to the
    entire child level -- the app would use this account to search AD. (The old
    version maintained its own database)

    Is this ok security-wise?

    jremmc, Aug 10, 2006
    1. Advertisements

  2. Any normal userid in any domain of the forest by default can search all
    userids of AD. The viewability of various attributes will depend
    specifically on your current security configuration.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Aug 10, 2006
    1. Advertisements

  3. Hi Joe,

    Thanks. Will forward your info to app admin.

    Microsoft Newsgroups, Aug 10, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.