Discussion:
How to prohibit an interactive logon and authorize an Ldap access
(too old to reply)
Christian
2005-04-29 08:41:37 UTC
Permalink
Hi,

I want to configure an AD account named TEST for the following goal :
1 - prohibit him to open an interactive logon on any XP workstation of my
domain
2 - autorize an LDAP connection to the TEST user object with the credentials
of TEST.

If I disable the account, or if I restrict the "Logon hours.." or "Log on to
..." parameters of the account, I achieve the first goal but not the second
one.

Is anybody has a solution ?

Thanks,

Christian
Lee Flight
2005-04-29 09:42:34 UTC
Permalink
Hi

perhaps you could add the account to Deny Logon Locally
in the User Rights Assignments of your security policy.

Lee Flight
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of my
domain
2 - autorize an LDAP connection to the TEST user object with the credentials
of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log on to
..." parameters of the account, I achieve the first goal but not the second
one.
Is anybody has a solution ?
Thanks,
Christian
Joe Richards [MVP]
2005-04-29 15:57:26 UTC
Permalink
It has been a long time since I tried this and it may not even work any more but
there is a flag in useraccountcontrol called ADS_UF_TEMP_DUPLICATE_ACCOUNT which
used to be able to be set in the place of ADS_UF_NORMAL_ACCOUNT when creating
the account. What that would do is make an account that wasn't useable for
anything but net use connections to domain controllers. I used it for creating
accounts for users on other domains who needed to access resources on DCs but
didn't need to interactively log on. You can try it and see if it is still
available and gives you the functionality you require.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of my
domain
2 - autorize an LDAP connection to the TEST user object with the credentials
of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log on to
..." parameters of the account, I achieve the first goal but not the second
one.
Is anybody has a solution ?
Thanks,
Christian
Lee Flight
2005-04-29 22:27:54 UTC
Permalink
Hi Joe,

do you recall if there was there anything special that had to be set when
using ADS_UF_TEMP_DUPLICATE_ACCOUNT such as it needing to
be combined with another flag? I just tried it and got "parameter incorrect"
from W2K3 AD on account creation.

Thanks
Lee Flight
Post by Joe Richards [MVP]
It has been a long time since I tried this and it may not even work any
more but there is a flag in useraccountcontrol called
ADS_UF_TEMP_DUPLICATE_ACCOUNT which used to be able to be set in the place
of ADS_UF_NORMAL_ACCOUNT when creating the account. What that would do is
make an account that wasn't useable for anything but net use connections
to domain controllers. I used it for creating accounts for users on other
domains who needed to access resources on DCs but didn't need to
interactively log on. You can try it and see if it is still available and
gives you the functionality you require.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of my
domain
2 - autorize an LDAP connection to the TEST user object with the
credentials of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log on
to ..." parameters of the account, I achieve the first goal but not the
second one.
Is anybody has a solution ?
Thanks,
Christian
Joe Richards [MVP]
2005-04-30 02:42:19 UTC
Permalink
Hey Lee, there was nothing special, it simply had to have the proper uac value.

I took some time out this evening and tested this out and watched the error pop
and chased it into the source and it appears that the SAM is now blocking that
value from being set.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Lee Flight
Hi Joe,
do you recall if there was there anything special that had to be set when
using ADS_UF_TEMP_DUPLICATE_ACCOUNT such as it needing to
be combined with another flag? I just tried it and got "parameter incorrect"
from W2K3 AD on account creation.
Thanks
Lee Flight
Post by Joe Richards [MVP]
It has been a long time since I tried this and it may not even work any
more but there is a flag in useraccountcontrol called
ADS_UF_TEMP_DUPLICATE_ACCOUNT which used to be able to be set in the place
of ADS_UF_NORMAL_ACCOUNT when creating the account. What that would do is
make an account that wasn't useable for anything but net use connections
to domain controllers. I used it for creating accounts for users on other
domains who needed to access resources on DCs but didn't need to
interactively log on. You can try it and see if it is still available and
gives you the functionality you require.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of my
domain
2 - autorize an LDAP connection to the TEST user object with the
credentials of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log on
to ..." parameters of the account, I achieve the first goal but not the
second one.
Is anybody has a solution ?
Thanks,
Christian
Lee Flight
2005-04-30 11:09:00 UTC
Permalink
Hi Joe

thanks for checking. It's a pity there is not a setting like that which
I think would be useful for accounts that are just used for middle tier
trusted subsystem accounts and accounts just used for provisioning.

I guess the MSDN content

http://msdn.microsoft.com/library/en-us/adsi/adsi/ads_user_flag_enum.asp

needs updating wrt the OS dependence of this flag.

Thanks again
Lee Flight
Post by Joe Richards [MVP]
Hey Lee, there was nothing special, it simply had to have the proper uac value.
I took some time out this evening and tested this out and watched the
error pop and chased it into the source and it appears that the SAM is now
blocking that value from being set.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Lee Flight
Hi Joe,
do you recall if there was there anything special that had to be set when
using ADS_UF_TEMP_DUPLICATE_ACCOUNT such as it needing to
be combined with another flag? I just tried it and got "parameter incorrect"
from W2K3 AD on account creation.
Thanks
Lee Flight
Post by Joe Richards [MVP]
It has been a long time since I tried this and it may not even work any
more but there is a flag in useraccountcontrol called
ADS_UF_TEMP_DUPLICATE_ACCOUNT which used to be able to be set in the
place of ADS_UF_NORMAL_ACCOUNT when creating the account. What that would
do is make an account that wasn't useable for anything but net use
connections to domain controllers. I used it for creating accounts for
users on other domains who needed to access resources on DCs but didn't
need to interactively log on. You can try it and see if it is still
available and gives you the functionality you require.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of
my domain
2 - autorize an LDAP connection to the TEST user object with the
credentials of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log
on to ..." parameters of the account, I achieve the first goal but not
the second one.
Is anybody has a solution ?
Thanks,
Christian
Joe Richards [MVP]
2005-04-30 14:04:47 UTC
Permalink
Yeah, I will see if I can get it updated.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Lee Flight
Hi Joe
thanks for checking. It's a pity there is not a setting like that which
I think would be useful for accounts that are just used for middle tier
trusted subsystem accounts and accounts just used for provisioning.
I guess the MSDN content
http://msdn.microsoft.com/library/en-us/adsi/adsi/ads_user_flag_enum.asp
needs updating wrt the OS dependence of this flag.
Thanks again
Lee Flight
Post by Joe Richards [MVP]
Hey Lee, there was nothing special, it simply had to have the proper uac value.
I took some time out this evening and tested this out and watched the
error pop and chased it into the source and it appears that the SAM is now
blocking that value from being set.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Lee Flight
Hi Joe,
do you recall if there was there anything special that had to be set when
using ADS_UF_TEMP_DUPLICATE_ACCOUNT such as it needing to
be combined with another flag? I just tried it and got "parameter incorrect"
from W2K3 AD on account creation.
Thanks
Lee Flight
Post by Joe Richards [MVP]
It has been a long time since I tried this and it may not even work any
more but there is a flag in useraccountcontrol called
ADS_UF_TEMP_DUPLICATE_ACCOUNT which used to be able to be set in the
place of ADS_UF_NORMAL_ACCOUNT when creating the account. What that would
do is make an account that wasn't useable for anything but net use
connections to domain controllers. I used it for creating accounts for
users on other domains who needed to access resources on DCs but didn't
need to interactively log on. You can try it and see if it is still
available and gives you the functionality you require.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Christian
Hi,
1 - prohibit him to open an interactive logon on any XP workstation of
my domain
2 - autorize an LDAP connection to the TEST user object with the
credentials of TEST.
If I disable the account, or if I restrict the "Logon hours.." or "Log
on to ..." parameters of the account, I achieve the first goal but not
the second one.
Is anybody has a solution ?
Thanks,
Christian
Loading...