LDAP Browsing

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi to All,
We are experiencing an account that can't browse the LDAP. What procedure we
can do to resolve this problem. Example a certain account has only
permissions to set fax maker but when we change the password after a few days
the fax maker services has an error until nowadays. We copy the account but
still an error on faxmaker.
Thanks in advance,
emslan
 
hi Again.This is the scenario. When we change the password of domain admin
xyz accounts we experience that xyz accounts has continously lock out. We
found that a lot of services requires this xyz accounts to run. We delegate
the other services to a certain abc accounts. Still the xyz accounts has been
delegated to others services but the big questions is what services cause we
can't found out. How can we achieve a goal to find what services and other
objects in AD delagated to xyz domain admin accounts. Do we have to check it
one by one or any other strategy for this scenario.
Thanks in Advance,
Emslan
 
EMSLAN,

Unfortunately, you are caught in a bit of a trap here. This specific
problem underscores the reason for specifically creating accounts to manage
services rather than using built-in or well-known accounts. Take this to
heart and create new accounts for services -- it is ok, however, to group
them; one account can handle all the services for BackupExec, WebSense, or
Antivirus, for example.

There are two ways I know of that can help you identify they service
accounts.
1. Tedious Method -- Manage each DC and open the Services node in the
computer manager. There is a column for Account, you should be able to see
them there. They'll stick out against all the LocalSystem accounts.
2. Sneaky Method -- Use the Service Account option of the ADMTv2. If you
have a lot of servers or computers to scan, this option will scan across
computers that you identify and generate a list for you of all the non-local
Service Accounts. You should be able to remediate from this list.

Maybe other people will have other methods, but these are the two that come
to mind.
 
Thanks a lot Ryan,
EMSLAN

Ryan Hanisco said:
EMSLAN,

Unfortunately, you are caught in a bit of a trap here. This specific
problem underscores the reason for specifically creating accounts to manage
services rather than using built-in or well-known accounts. Take this to
heart and create new accounts for services -- it is ok, however, to group
them; one account can handle all the services for BackupExec, WebSense, or
Antivirus, for example.

There are two ways I know of that can help you identify they service
accounts.
1. Tedious Method -- Manage each DC and open the Services node in the
computer manager. There is a column for Account, you should be able to see
them there. They'll stick out against all the LocalSystem accounts.
2. Sneaky Method -- Use the Service Account option of the ADMTv2. If you
have a lot of servers or computers to scan, this option will scan across
computers that you identify and generate a list for you of all the non-local
Service Accounts. You should be able to remediate from this list.

Maybe other people will have other methods, but these are the two that come
to mind.
Click to expand...
 
Hi! Sneaky methods is working, we got another problem in one third party
proxy server. If I access the AD coming from this third party proxy servers
only one accounts is accepted which is the first administrator who created
the forest. The Third party proxy is not a member server cause it runs a
third party SW. We tried to copy the admin account but still they can't
access the AD from the proxy. Is there any configuration must be add to AD so
that domain users can be authenticated coming from this proxy server.
Thanks in Advance,
Emslan
 
Back
Top