Any authorised (after LDAP bind operation) Acrive Directory domain user by default can search other users in domain. It is suitable for your task.
I'm talking about the possibility of the presence of an authorized search under any domain user. Nevertheless, I did not just faced with badly written applications (including enterprise) - with such applications have to deal individually.
We should also highlight applications such as samba (or containing samba) - domain administrator credentials they need only to perfom domain join operation - these credentials are not stored and used only once.
Unfortunately you can not restrict the hosts to which the domain user can perform LDAP Bind. But you can with domain policy prohibit such interactive logon user on windose computers in the domain:
- Add this users to some group, for example 'Service Accounts'
- Go to GPO
Computer Configuration/ Windows Settings/Security Settings/Local Policies/User Rights Assignment Add the 'Service Accounts' Security Group to Deny log on locally and Deny log on through Terminal Services - Apply created GPO for all domain member Windows hosts where you want deny logon.
