Running LDAP Tool as Domain Admin

Post your questions and issues related to LDAP. The "LDAP" Guru is in town to address them.

Moderator: infoRouter Guru

Post Reply
gureli
Posts: 16
Joined: Wed Oct 03, 2012 6:54 am

Running LDAP Tool as Domain Admin

Post by gureli » Tue Nov 13, 2012 9:29 am

Hi,
When I run the service as a standard domain user the service is unable to see and import any users that exist in the import groups other than domain admin users and the account being used to run the service.

If I run the service as a domain admin account it does see and import in all the users. However if I am to login a Win7 machine (for example) as that same standard domain user running the service, I’m able to search for and display the details of the users who are not domain admins by just using the default windows directory search.

I’m not quite understanding why there is a mandatory need to run the service as a domain admin when as a standard domain user the details appear accessible.The issue here is security, as a domain admin account has big security implications and looks to be an excess level of rights for what is needed to be returned.

Are you able to advise further?

Thanks.

User avatar
infoRouter Guru
Posts: 230
Joined: Fri Aug 07, 2009 8:46 pm

Re: Why is it mandatory to run the LDAP Tool as a Domain Adm

Post by infoRouter Guru » Tue Nov 13, 2012 9:33 am

Hello,

We understand that you are trying to run the LDAP Service as a standard domain user however standard domain users do not have permissions to run Windows Services on any workstations.
This action requires users to have Domain Admin rights.

You can find the necessary information about this issue on http://stackoverflow.com/questions/178633/minimum-rights-required-to-run-a-windows-service-as-a-domain-account
According to the information stated on this page, we can conclude that if a standard domain user is given the necessary privileges, he/she won't need to be a domain admin to run the services.

Then, we can come back to your question; "Why there is a mandatory need to run the service as a domain admin when as a standard domain user details appear accessible?"

The answer is; even if you make the necessary configuration as stated on the link above, that user will also be asked for permissions (such as read, write rights) to reach the paths that LDAP Service requires.
If that user is added to Domain Admins LDAP User Group, these rights will be automatically set for that user. These privileges are strongly required since the LDAP service uses the files located under the Logs directory to write logs.
Hence, the most practical way to provide these conditions to a user is to add him/her to the Domain Admins LDAP User Group.

IR LDAP Tool basically deals with these issues;
1. Connecting to AD and getting the list of the LDAP User Groups. Reading the properties of various users and user groups. Searching for users whose primary groups might have been changed.
2. Connecting to the workstation on which the IR runs and synchronizing users via Web Service within the Windows Service.
3. LDAP Tool requires full control right to the path on which the IR LDAP Tool resides within the Windows Service.

So, it seems almost impossible to provide these conditions with a standard domain user.
You need to give the following permissions to this user:
1. The user needs to be given the required rights to perform these queries on the AD. You can configure this setting from the "Active Directory Domain and Users" screen however this will make this user to gain privileges on that domain.
2. The user needs to have necessary permissions to access the IR Web service from the workstation on which the IR LDAP Tool runs (to run the queries).
3. The user should have rights to access the directories of the workstation on which the IR LDAP Tool runs.

In theory, you will be able to provide the environment for the standard domain user after all these configurations. However, setting the user as a domain admin is the best and the most practical way to ensure this conditions. Using the other types of Group Policies is not a sufficient way for this, since you might need to make additional configurations to provide the same functionality.

Regards,
The Guru

Post Reply

Return to “infoRouter LDAP Synchronization Manager”

Who is online

Users browsing this forum: No registered users and 1 guest