How to know if a Active Directory user can log in interactively

windows login active-directory user-profile user-permissions

I would like to know if and how is it possible to know if an AD user can log in interactively (on a server) in a Windows domain.

I need to know if I can find it out using an LDAP search.


Solution 1:

An LDAP search is not enough, because the ability to perform an interactive logon is controlled by the security policy in the destination computer.

The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.

In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.

Solution 2:

Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.

Related

AD: OU for system administrator accounts
Can I delete access log files in nginx. Will it cause an issue
AWS IAM won't let my users change their passwords
Can anyone recommend a perimeter SPAM filtering service? [closed]
What is the most effective load balancing solution for Windows?
What blogs or RSS sites do you subscribe to, to keep up with current technology?
Hard drive throttling?
Preventing specific packages from getting installed in Debian
"Tell and sell" idiom
Abbreviation for "so-called"
usage of ‘indefinite article + proper name’?
Verb "telescope" in mathematical formal use