Announcement

Collapse
No announcement yet.

Disallow Users to query Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disallow Users to query Active Directory

    Hi,



    we have a shared Active Directory here. We need to disallow users to query the whole active directory.

    They should be able to autenticate, but they should not be allowed to query all objects.



    Any way to achieve that?

    We have only Windows Systems running.

  • #2
    *-Take away any admin rights they may have
    *-Deny them the ability to log into any Domain Controller
    *-Remove the Remote Server Admin Tools from their client PCs, and any other software that may be doing LDAP calls to the domain.

    Authentication is not done by the user to the domain, it's done for the user, by the PC they want to log into. So if you (at least) limit the users as above, they won't have any way of accessing AD on their own. Of course, this assumes that the users do not have to log into a DC for any other reasons. If they do have to, that makes it more complicated.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Hi,

      the users are normal domain users and working on different terminal servers.

      they have an ERP software which can query the windows domain for users. I think this is done by LDAP, so if i block LDAP Traffic to domain controllers, it should not be possible doing this query, right?

      Comment


      • #4
        And your application will probably break too...
        WHY do you need to prevent querying AD?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Because we have several customer on the same LDAP and they should not see each other.

          Comment


          • #6
            i closed the LDAP Ports (3268,6269,636,389), but now i logon anymore on the testservers. So LDAP is needed for Windows to Login? Tought this is done using Kerberos?

            Comment


            • #7
              Could you give us a tiny clue which AD functional level (forest and domain) you are at, the OS on the domain controllers, and any other information that might help
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Hi,

                OS Level are all systems on Windows Server 2012 R2, Forest and Domain are also on 2012 R2.

                We have different Terminal Servers for different companies using the same AD.

                Comment

                Working...
                X