How to know if a Active Directory user can log in interactively

I would like to know if and how is it possible to know if an AD user can log in interactively (on a server) in a Windows domain.

I need to know if I can find it out using an LDAP search.


Solution 1:

An LDAP search is not enough, because the ability to perform an interactive logon is controlled by the security policy in the destination computer.

The policy itself ("Allow Interactive Logon") can be managed by Group Policies in the domain (which you can check using RSOP, but not using LDAP), but it can also be manually configured on any given computer; also, the rights to perform an interactive logon can be assigned to users or groups, which further complicate things.

In short, there are multiple settings involved to define who is allowed to log on where; there is no quick, easy and general way to answer your question; even RSOP can only help a little here, because it can only check domain policies, not local ones.

Solution 2:

Strictly through LDAP? No, this is not possible. Group Policy settings on the server can control if an account can log in, and those policies are not accessible via LDAP.