How to know if a Active Directory user can login interactively












1















I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.



I need to know if I can find it out using a LDAP search.



Thanks.










share|improve this question









New contributor




Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    1















    I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.



    I need to know if I can find it out using a LDAP search.



    Thanks.










    share|improve this question









    New contributor




    Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      1












      1








      1








      I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.



      I need to know if I can find it out using a LDAP search.



      Thanks.










      share|improve this question









      New contributor




      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.



      I need to know if I can find it out using a LDAP search.



      Thanks.







      windows active-directory login user-permissions user-profile






      share|improve this question









      New contributor




      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 1 hour ago









      yagmoth555

      11.6k31742




      11.6k31742






      New contributor




      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 1 hour ago









      LuigiLuigi

      61




      61




      New contributor




      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          3 Answers
          3






          active

          oldest

          votes


















          2














          Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.






          share|improve this answer































            2














            This is not a LDAP search - well - not directly - and there are various settings that come to play.



            This setting is controlled either by a GPO or the local security policy.



            See LOCAL SECURITY POLICY => Local Policies



            Further comes this to play:
            https://msdn.microsoft.com/en-us/library/gg604699.aspx




            Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.




            If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...



            Regards
            Florian






            share|improve this answer








            New contributor




            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.




























              2














              A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.



              The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.



              In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.






              share|improve this answer























                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "2"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });






                Luigi is a new contributor. Be nice, and check out our Code of Conduct.










                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951147%2fhow-to-know-if-a-active-directory-user-can-login-interactively%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                2














                Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.






                share|improve this answer




























                  2














                  Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.






                  share|improve this answer


























                    2












                    2








                    2







                    Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.






                    share|improve this answer













                    Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 1 hour ago









                    longnecklongneck

                    20.8k23875




                    20.8k23875

























                        2














                        This is not a LDAP search - well - not directly - and there are various settings that come to play.



                        This setting is controlled either by a GPO or the local security policy.



                        See LOCAL SECURITY POLICY => Local Policies



                        Further comes this to play:
                        https://msdn.microsoft.com/en-us/library/gg604699.aspx




                        Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.




                        If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...



                        Regards
                        Florian






                        share|improve this answer








                        New contributor




                        Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.

























                          2














                          This is not a LDAP search - well - not directly - and there are various settings that come to play.



                          This setting is controlled either by a GPO or the local security policy.



                          See LOCAL SECURITY POLICY => Local Policies



                          Further comes this to play:
                          https://msdn.microsoft.com/en-us/library/gg604699.aspx




                          Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.




                          If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...



                          Regards
                          Florian






                          share|improve this answer








                          New contributor




                          Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.























                            2












                            2








                            2







                            This is not a LDAP search - well - not directly - and there are various settings that come to play.



                            This setting is controlled either by a GPO or the local security policy.



                            See LOCAL SECURITY POLICY => Local Policies



                            Further comes this to play:
                            https://msdn.microsoft.com/en-us/library/gg604699.aspx




                            Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.




                            If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...



                            Regards
                            Florian






                            share|improve this answer








                            New contributor




                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.










                            This is not a LDAP search - well - not directly - and there are various settings that come to play.



                            This setting is controlled either by a GPO or the local security policy.



                            See LOCAL SECURITY POLICY => Local Policies



                            Further comes this to play:
                            https://msdn.microsoft.com/en-us/library/gg604699.aspx




                            Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.




                            If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...



                            Regards
                            Florian







                            share|improve this answer








                            New contributor




                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            share|improve this answer



                            share|improve this answer






                            New contributor




                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            answered 1 hour ago









                            Florian RossmarkFlorian Rossmark

                            313




                            313




                            New contributor




                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.





                            New contributor





                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.






                            Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.























                                2














                                A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.



                                The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.



                                In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.






                                share|improve this answer




























                                  2














                                  A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.



                                  The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.



                                  In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.






                                  share|improve this answer


























                                    2












                                    2








                                    2







                                    A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.



                                    The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.



                                    In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.






                                    share|improve this answer













                                    A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.



                                    The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.



                                    In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered 1 hour ago









                                    MassimoMassimo

                                    52.4k44164280




                                    52.4k44164280






















                                        Luigi is a new contributor. Be nice, and check out our Code of Conduct.










                                        draft saved

                                        draft discarded


















                                        Luigi is a new contributor. Be nice, and check out our Code of Conduct.













                                        Luigi is a new contributor. Be nice, and check out our Code of Conduct.












                                        Luigi is a new contributor. Be nice, and check out our Code of Conduct.
















                                        Thanks for contributing an answer to Server Fault!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951147%2fhow-to-know-if-a-active-directory-user-can-login-interactively%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        404 Error Contact Form 7 ajax form submitting

                                        Refactoring coordinates for Minecraft Pi buildings written in Python