I'm using DEX as a replacement for ADFS to connect some OIDC applications to my Active Directory, which is running on Samba. DEX requires its own account to query the directory via LDAP. What I need help with is creating a user account that only has permission to bind to LDAP and doesn't have access to anything else. Is there a way to set up a service account in Active Directory that has no privileges, such as logging into systems or accessing a desktop, like regular user accounts do?
2 Answers
When you create a new user account in AD, by default, it becomes part of the built-in domain users group, which allows logging into domain-joined computers. To create that dedicated account, first, create the user, then remove it from the domain users group. After that, you can use the delegated permissions wizard to limit its access to only what's necessary for reading data in AD. Alternatively, consider using a 'managed service account' for better security, although I haven't tested those extensively in non-Windows apps.
You can modify the account so that it only logs onto specific computers in your AD setup. There's a property for that—though I can't remember the exact name—that prevents it from logging onto any other machines. This way, you can restrict its usage effectively.
Quick tip: If you're looking into managed accounts, check out group managed service accounts. They might be a better fit than regular MSAs.