Hi All, I've been requested to let some 3rd party systems lookup user data for authentication purposes from our domain using LDAP. To do that I want the tools to use authenticated LDAP, so I can later bar them/track them if need be. But - where do I put these 'user accounts' in the AD tree (the LDAP authentication accounts) ? My AD is based around a basic SBS2003 out-of-the-box design, so users exist in SBSUsers But as an example, I don't want these LDAP user accounts to be able to be used on Domain PCs for logins.. or used for any other purpose than the LDAP lookup (read only!). Any hints ? Thanks,

So I've found that I can use the log-on-to Account control to make sure the ldap account can only access DCs, but as I have to name each DC thats kind of going to cause problems for me in the future if I change a DC..

Here is how I generally secure these types of accounts: Create a Non-Domain Users group in AD Add the LDAP account into the new group Update the LDAP account so that the Non-Domain Users group is the primary group Remove the Domain Users group from the account This will at least prevent the account from acting like a normal user (in many scenarios) and is generally better than nothing. The account does not need to be in any other group as all domain accounts can query AD via LDAP.fr3dd

Hi, Please check if the following policies can meet the requirement: Deny access to this computer from the network http://technet.microsoft.com/en-us/library/cc758316(WS.10).aspx Deny log on locally http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

no, the "Log on to" policy applies only to local logon, not remote network logon which is your probable case. basically, any authenticated user can read a lot from AD. just create your accounts, create a separate group for them (such as LDAP Read Access) and remove them from Domain Users. this way you remove all the default permissions except for Authenticated Users group membership which is implicit. at this stage, the accounts will have the same access according to what is the default for Authenticated Users group. You can test your application and see whether it requires anything in addition. If yes, you use your custom LDAP Read Access group to grant the necessary permissions. organizational unit (the container) where you place the accounts is not crutial. I usually create a separate OU for service accounts. if you want to further restrict the account's access to other computers of the domain, you can create a Group Policy Object (GPO) that would be applied to all the domain computers except for the Domain Controllers. You would then configure the "User Rights Assignment" policy to "Deny logon..." policies to your specific LDAP Read Access group. ondrej.

Hi, How's everything going? I would like to check if the information is helpful. If you need further assistance, please feel free to respond back. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Joson, Well I'd pretty much done what the others had suggested with groups etc. The accounts can still be used to login to PCs unless I set the GPOs too

Hi, It is because Authenticated Users is member of the local Users group. By default, Users group is allowed to log on member server locally. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.