Re: How to prohibit an interactive logon and authorize an Ldap access
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 30 Apr 2005 10:04:47 -0400
Yeah, I will see if I can get it updated.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
Lee Flight wrote:
Hi Joe
thanks for checking. It's a pity there is not a setting like that which I think would be useful for accounts that are just used for middle tier trusted subsystem accounts and accounts just used for provisioning.
I guess the MSDN content
http://msdn.microsoft.com/library/en-us/adsi/adsi/ads_user_flag_enum.asp
needs updating wrt the OS dependence of this flag.
Thanks again Lee Flight
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:efD454STFHA.2680@xxxxxxxxxxxxxxxxxxxxxxx
Hey Lee, there was nothing special, it simply had to have the proper uac value.
I took some time out this evening and tested this out and watched the error pop and chased it into the source and it appears that the SAM is now blocking that value from being set.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
Lee Flight wrote:
Hi Joe,
do you recall if there was there anything special that had to be set when
using ADS_UF_TEMP_DUPLICATE_ACCOUNT such as it needing to
be combined with another flag? I just tried it and got "parameter incorrect"
from W2K3 AD on account creation.
Thanks Lee Flight
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:OcTwkQNTFHA.2432@xxxxxxxxxxxxxxxxxxxxxxx
It has been a long time since I tried this and it may not even work any more but there is a flag in useraccountcontrol called ADS_UF_TEMP_DUPLICATE_ACCOUNT which used to be able to be set in the place of ADS_UF_NORMAL_ACCOUNT when creating the account. What that would do is make an account that wasn't useable for anything but net use connections to domain controllers. I used it for creating accounts for users on other domains who needed to access resources on DCs but didn't need to interactively log on. You can try it and see if it is still available and gives you the functionality you require.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
Christian wrote:
Hi,
I want to configure an AD account named TEST for the following goal :
1 - prohibit him to open an interactive logon on any XP workstation of my domain
2 - autorize an LDAP connection to the TEST user object with the credentials of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log on to ..." parameters of the account, I achieve the first goal but not the second one.
Is anybody has a solution ?
Thanks,
Christian
.
- References:
- How to prohibit an interactive logon and authorize an Ldap access
- From: Christian
- Re: How to prohibit an interactive logon and authorize an Ldap access
- From: Joe Richards [MVP]
- Re: How to prohibit an interactive logon and authorize an Ldap access
- From: Lee Flight
- Re: How to prohibit an interactive logon and authorize an Ldap access
- From: Joe Richards [MVP]
- Re: How to prohibit an interactive logon and authorize an Ldap access
- From: Lee Flight
- How to prohibit an interactive logon and authorize an Ldap access
- Prev by Date: can't connect to SQL on a Windows 2003 server
- Next by Date: Re: can my domain administrators see what i have typed
- Previous by thread: Re: How to prohibit an interactive logon and authorize an Ldap access
- Next by thread: LDAP - offLineABSchedule
- Index(es):
Relevant Pages
|
Loading
