Security and privacy

 
 
Picture of Keith W
Company demanding domain access - connect as
 

A Company has created a Moodle server for us and will manage it. They asked us to create a user that it would connect to LDAP with.  They have demanded that this user be given a domain admin account as it has to write an ID number to the office field of an AD users account.

We do not feel at all happy doing this!!

Using Active directory delegation or ADSIEDIT we have tried giving this user read access to all user information and write access to the PHysicalDeliveryOffice field.  Unfortunately this hasnt worked as we thought it would.  Company still say this is not enough access.

Would anyone know the minimum required  AD read/write access to let this user populate the office field?

Also are there any major security implications using a domain admin account?

 
Average of ratings: -
Russell Waldron
Re: Company demanding domain access - connect as
 

Keith, the minimum permission needed to write in that field in YOUR AD is domain admin. [MSDN]

Yes, action with domain admin accounts must be risk-managed. 

That field is normally fairly static information for humans. It sounds like you are harvesting manually updated data from Moodle and putting it into AD. Is it acceptable to update that field daily, instead of instantly? Can the company supply a daily text file of changed ID data? Would you be prepared to schedule a PowerShell script nightly to insert that into your AD? Would you be any more reliable/trustworthy than the Company?

 

Good luck

 

Russell

 
Average of ratings: -