What to Do with a Locked-Down AD

Started by deanwebb, December 01, 2017, 09:03:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

December 01, 2017, 09:03:30 AM
Every now and then, we have to install a product that needs to be able to look stuff up in Active Directory. Most of the time, all you need is a valid AD account in that domain, or a valid account in a root domain and then connect on port 3268, the global catalog port. That allows directory traversing for queries, quite nice when your device is in sub-domain1.company.com and the account being checked is in sub-domain2.company.com.

But if the AD is locked down hard because security, that account you're using will likely come up with a "failed to BIND" error message. That's because it can find the domain controller, it can open a connection on the right port, the account info is accurate... but you don't have the right permissions with that account.

Fear not, this article can help: http://www.dscentral.in/2011/08/17/locked-down-active-directory-ldap-authentication/

Basically, the admin will go into AD Users and Computers, enable Advanced Features, then go to that account, properties, security tab (available because you have advanced features turned on), advanced, and then add the "List Contents" ability for "this object and all child objects".

The account will now be able to BIND.  :smug:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions