How to know if a Active Directory user can login interactively
I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.
I need to know if I can find it out using a LDAP search.
Thanks.
windows active-directory login user-permissions user-profile
edited 1 hour ago
yagmoth555♦
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.
I need to know if I can find it out using a LDAP search.
Thanks.
windows active-directory login user-permissions user-profile
edited 1 hour ago
yagmoth555♦
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.
I need to know if I can find it out using a LDAP search.
Thanks.
windows active-directory login user-permissions user-profile
edited 1 hour ago
yagmoth555♦
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain.
I need to know if I can find it out using a LDAP search.
Thanks.
windows active-directory login user-permissions user-profile
windows active-directory login user-permissions user-profile
edited 1 hour ago
yagmoth555♦
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
yagmoth555♦
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
yagmoth555♦
11.6k31742
edited 1 hour ago
yagmoth555♦
11.6k31742
edited 1 hour ago
yagmoth555♦
11.6k31742
11.6k31742
asked 1 hour ago
LuigiLuigi
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
LuigiLuigi
61
asked 1 hour ago
LuigiLuigi
61
61
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Luigi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.
answered 1 hour ago
longnecklongneck
20.8k23875
add a comment |
This is not a LDAP search - well - not directly - and there are various settings that come to play.
This setting is controlled either by a GPO or the local security policy.
See LOCAL SECURITY POLICY => Local Policies
Further comes this to play:
https://msdn.microsoft.com/en-us/library/gg604699.aspx
Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.
If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...
Regards
Florian
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.
The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.
In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.
answered 1 hour ago
MassimoMassimo
52.4k44164280
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Luigi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951147%2fhow-to-know-if-a-active-directory-user-can-login-interactively%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.
answered 1 hour ago
longnecklongneck
20.8k23875
add a comment |
Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.
answered 1 hour ago
longnecklongneck
20.8k23875
add a comment |
Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.
answered 1 hour ago
longnecklongneck
20.8k23875
Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.
answered 1 hour ago
longnecklongneck
20.8k23875
answered 1 hour ago
longnecklongneck
20.8k23875
answered 1 hour ago
longnecklongneck
20.8k23875
answered 1 hour ago
longnecklongneck
20.8k23875
20.8k23875
add a comment |
add a comment |
This is not a LDAP search - well - not directly - and there are various settings that come to play.
This setting is controlled either by a GPO or the local security policy.
See LOCAL SECURITY POLICY => Local Policies
Further comes this to play:
https://msdn.microsoft.com/en-us/library/gg604699.aspx
Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.
If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...
Regards
Florian
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This is not a LDAP search - well - not directly - and there are various settings that come to play.
This setting is controlled either by a GPO or the local security policy.
See LOCAL SECURITY POLICY => Local Policies
Further comes this to play:
https://msdn.microsoft.com/en-us/library/gg604699.aspx
Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.
If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...
Regards
Florian
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This is not a LDAP search - well - not directly - and there are various settings that come to play.
This setting is controlled either by a GPO or the local security policy.
See LOCAL SECURITY POLICY => Local Policies
Further comes this to play:
https://msdn.microsoft.com/en-us/library/gg604699.aspx
Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.
If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...
Regards
Florian
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is not a LDAP search - well - not directly - and there are various settings that come to play.
This setting is controlled either by a GPO or the local security policy.
See LOCAL SECURITY POLICY => Local Policies
Further comes this to play:
https://msdn.microsoft.com/en-us/library/gg604699.aspx
Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.
If you explain further what exactly you want to find out there might be another way to determine who can and can't do it...
Regards
Florian
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
answered 1 hour ago
Florian RossmarkFlorian Rossmark
313
313
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Florian Rossmark is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.
The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.
In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.
answered 1 hour ago
MassimoMassimo
52.4k44164280
add a comment |
A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.
The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.
In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.
answered 1 hour ago
MassimoMassimo
52.4k44164280
add a comment |
A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.
The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.
In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.
answered 1 hour ago
MassimoMassimo
52.4k44164280
A LDAP search is not enough, because the ability to perform an interactive logon is controller by the security policy in the destination computer.
The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.
In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.
answered 1 hour ago
MassimoMassimo
52.4k44164280
answered 1 hour ago
MassimoMassimo
52.4k44164280
answered 1 hour ago
MassimoMassimo
52.4k44164280
answered 1 hour ago
MassimoMassimo
52.4k44164280
52.4k44164280
add a comment |
add a comment |
Luigi is a new contributor. Be nice, and check out our Code of Conduct.
Luigi is a new contributor. Be nice, and check out our Code of Conduct.
Luigi is a new contributor. Be nice, and check out our Code of Conduct.
Luigi is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951147%2fhow-to-know-if-a-active-directory-user-can-login-interactively%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
