-
Title
What user attributes does the QAS Active Directory Computer object need to read? Users cannot login to system. -
Description
What user attributes does the QAS Active Directory Computer object need to read?
Is there a list of Active Directory user account attributes the QAS AD computer objects needs to read, if the default Microsoft "Authenticated User" permissions have been remove or hardened.
What attributes does QAS need to read when AD is locked down/hardened and the default Microsoft permissions have been removed.Users cannot authenticate after setup.
What AD permissions are needed on the computer object.
-
Cause
Default "Authenticated User" Microsoft permissions have been changed -
Resolution
Authentication Services, in addition to authenticating users, also provides that user’s identity to the host
Below is a list of user attributes the QAS Computer Object must be able to read:accountExpiresbadPasswordTimebadPwdCountcndescriptiondisplayNamedistinguishedNamegecos (*)gidNumber (*)lockoutTimeloginShell (*)logonHoursmemberOfmsDS-KeyVersionNumbermsDS-User-Account-Control-Computed*msDS-resultantPSO*nameobjectCategoryobjectClassobjectGuidobjectSidprimaryGroupIDpwdLastSetsAMAccountName (*)servicePrincipalNamesidHistorytokenGroupsuidNumber (*)unixHomeDirectory (*)userAccountControluserPrincipalNameuserWorkstationsuSNChangeduSNCreated* - These are the default Windows 2003 R2 schema attributes which are configurable through the Authentication Services Control Center.
These permissions can be tested by running the below command against a QAS AD user - all non-null attributes must be returned for QAS to function.
# /opt/quest/bin/vastool -u host/ attrs userName