Re: User account access after account disable?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

thanks Joe
So does that mean the ONLY way to validate group membership is via ldap calls?

Secondly, I thought an AD user was designated member of a group, by an
attribute on his/her object that says "memberOf" (whereas in standard ldap
you have a group object with attributes "uniquemember"). If this is the case
then does AD do an ldap call on the user to find out what group he belongs
to, rather than querying the group to get its members?

"Joe Kaplan (MVP - ADSI)" wrote:

> On the second question regarding applications testing the AD for group
> membership, the object will still be a member of groups in the AD, so if
> they are doing LDAP calls to figure out group membership, this won't help
> you. However, the user should not be able to login anywhere (including LDAP
> binds or accessing web applications) as their password won't verify when
> they are disabled, so hopefully now one doing LDAP group checks would have
> authenticated the user in the first place as that should not be possible.
>
> Joe K.
>
> "jgershater" <jgershater@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:B72860E8-A82D-4ABF-9CA7-BC93CFC29999@xxxxxxxxxxxxxxxx
> > Hi
> > I have a Windows2003 ActiveDirectory (AD).
> > AD is *NOT* used as the workstation desktop login (instead Novell NDS is
> > used).
> > AD is used for group membership. Groups are used by applications to
> > determine application access.
> >
> > Question one:
> > If I disable a user in AD, does that *ONLY* disable login from a
> > workstation
> > (which is not used in my case) or does disabling also prevent other
> > privileges.?
> > If my account is disabled do I still have domain privileges. Can I access
> > a
> > shared folder? Can I print to a printer?
> >
> > Question two:
> > If I DISABLE a user in AD, and the application tests the AD group for user
> > account membership, will that test return true? Or will that test return
> > false because even though the user is a member of the group, their account
> > is
> > disabled?
>
>
>
.

Relevant Pages

  • Re: User account access after account disable?
    ... LDAP calls are not the only way to check group membership and are in fact ... This is how Windows does it and no LDAP is involved at all. ... You just can't log in with the account if it is ... >>> or does disabling also prevent other ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP returns wrong members
    ... users who are  members of the group via primary group membership. ... to get the user's full security membership via LDAP by reading the ... Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net ...
    (microsoft.public.windows.server.active_directory)
  • Re: Querying AD Groups
    ... LDAP or WinNT provider. ... When I query Global Groups for their memberships I ... The WinNT provider never exposes nested groups, ... In both cases LDAP does not expose membership ...
    (microsoft.public.win2000.active_directory)
  • Re: Does IsInRole() grab just Groups? Can I get Organizational Units?
    ... you must do an LDAP query to get OU information. ... Making security decisions based on a user's OU isn't ... >> assuming IsInRole() will not test for OU membership? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Disable LDAP anonymous win2003
    ... Joe Thank you for your response. ... that you would need to enable anonymous access AND assign permissions ... will not get any info when they try to connect to AD via LDAP? ... I found following articles on this issues, but no help in disabling the ...
    (microsoft.public.windows.server.active_directory)