cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
55971
Views
0
Helpful
8
Replies

LDAP Account Permission

gregskigregski
Level 1
Level 1

what permission does the LDAP account need in our Active Directory?

1 Accepted Solution

Accepted Solutions

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

View solution in original post

8 Replies 8

Assuming you're just using it for the various queries, just read access... generally a user that is a member of Domain Users and nothing else should work.

When the account is Domain Admins things work

When the account is only Domain Users things don't work

when I say things work or don't work I mean a group query in an Outgoing Policy is not kicking in, so in other words we say if a user is in a group called "Super Duper Users" then do something to their mail, well our IronPort account needs to be a Domain Admin in order to do a lookup in Active Directory, I don't get why as even Domain Users have read only permissions

so off to experiment

I'm glad i found this, I could not get it to work with the LDAP account user being a domain user. Did you find a solution to this? I would prefer not to have another admin account.

Thanks

Mike

Our case is still open as we are trying to convince IronPort support this is still an issue, and not working as expected.  I am beginning to think that the engieener may not know how his LDAP account is permissioned on the backend since it may have been configured by another group.  Also sometimes in the lab people set things up with Domain Admin permissions you know just "to get things working", and then they never go back to make them secure.

anyway, more as the news develops

So we spoke with John over at IronPort support he is one of our favorite Support Engineers well up until now, LOL, he confirmed that the IronPort LDAP account indeed needs to be a Domain Admin unless we contact Microsoft and they can tell us how to set it up differently he also recommended some utilities along the lines LDP and ADSI Edit to see if we can get to the OUs with that account.  I told him we can use our IronPort account in read only mode (ie not Domain Admin) using those utilities and browser any group membership we need, it's only through the IronPort appliances that it doesn't work when it's not a Domain Admin.

We will be contacting Microsoft for sure to get this looked at, at this time having a "service" account be a Domain Admin is not acceptable.

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

Ken, I love you man !!! that works, now to call IronPort Tech Support and edumecate them, LOL

It's odd that it doesn't work for you as a Domain User, because that's exactly how we have it configured here (I just checked). It works just fine for us. I suspect that there's something different about the fundamental protection settings of our respective ADs, but that's just a guess. I'm just the e-mail guy, I don't mess with AD.

++Don

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: