I'm currently using DEX as an alternative to ADFS to connect some OIDC apps to my Active Directory, which runs on Samba. DEX queries the directory using LDAP and requires a dedicated account for this. My question is, how can I set up an account that is restricted to only binding to LDAP and does not have any other permissions? Also, is there a way within Active Directory to specifically create service accounts that do not have the same access privileges that regular user accounts have, such as logging into systems and accessing desktops?
3 Answers
To create an account that can only log on to certain computers, you can modify its properties in Active Directory. You'll want to find the option that specifies which computers the account is allowed to log into; this should restrict it effectively from logging into unauthorized machines.
When you create a new user account, by default it's part of the 'domain users' group, which allows logon to domain-joined computers. To restrict the account, you should create it and then remove it from that group. After that, you can use the delegated permissions wizard to fine-tune what the account can do in Active Directory. Alternatively, consider using a managed service account; that might simplify the process, although I haven’t used it extensively.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures