4

I would like to know if and how is it possible to know if an AD user can log in interactively (on a server) in a Windows domain.

I need to know if I can find it out using an LDAP search.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Luigi
  • 41
  • 1
  • 2
  • The answers mentioned about the interactive policy, however maybe your query is more about „not blocked, not expired and not disabled“? In that case using a bind with the User Account should help you for those kinds of AD flags. – eckes Jan 28 '19 at 21:26

3 Answers3

6

An LDAP search is not enough, because the ability to perform an interactive logon is controlled by the security policy in the destination computer.

The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.

In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Massimo
  • 68,714
  • 56
  • 196
  • 319
4

Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.

longneck
  • 22,793
  • 4
  • 50
  • 84
4

This is not an LDAP search - well - not directly - and there are various settings that come into play.

This setting is controlled either by a GPO or the local security policy.

See LOCAL SECURITY POLICY => Local Policies

Further this comes into play, 2.1.1 Interactive Logon Authentication:

Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24