The active directory query account used by InstantKB for automated windows authentication & local account creation requires read access to your configured domain controller to obtain user information. The query account is the user account that is defined via the "InstantASP_LDAPAdminUsername" and "InstantASP_LDAPAdminPassword" web.config application settings.
To grant this permission to the account, complete the following steps:
- On the corresponding domain controller in the Active Directory Users and Computers snap-in, right-click the domain name, and then click Properties on the shortcut menu.
- On the Security tab, click Add and select the account to which you wish to assign permissions. This is the query account defined via the InstantKB web.config file.
If there is no Security tab, you should select View | Advanced Features in the Active Directory Users and Computers snap-in.
- Select the account name, and then enable the Allow option for the Read permission in the Permissions box.
Click the Advanced button. In the Advanced Security Settings dialog box, select the account you specified on step 2 and click Edit.
In the Permission Entry dialog box, select This object and all child (descendant) objects from the Apply onto drop-down list. Close the dialog boxes by clicking OK.
What Permissions Are Needed By The Query Account
The query account will need read access for the following active directory attributes...
The query account does not need any Write or Update permissions. This is only ever used to Read user information from your domain controller to automatically create local accounts within the InstantKB database.