2

I want to create a user that can query LDAP on my Windows 2008 R2 Active Directory. It only works with Domain Admins. I read the Account Operators group will also work. Both these have write rights, however. I also read that Domain Users should be able to work, but it does not. Only Domain Admin accounts work.

This is for a PHP program that has an LDAP plugin, so I'm trying to create a read-only user.

Improve this question
1
  • Create a user, put it in the Domain Guests group, remove all other groups. Of course the privileges you need depend on what you need to read. There are a few attributes that ACLs that restrict who can read them. Commented Feb 25, 2014 at 19:48

1 Answer 1

Reset to default
10

Any user in the Active Directory already has read only access to most (if not all) of the tree. If you could elaborate on exactly what type of error you see would be helpful. It's possible your code is not behaving in the manner that you expected.

Improve this answer
1
  • It was invalid user and credentials. I thought I had it right. I guess I was wrong. Sorry. Thanks. Commented Feb 25, 2014 at 19:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.